Knowledge Management

How to extract client IPs in a different format than Splunk recognizes?

allyandrews14
New Member

I am researching information into error log files and the way they're formatted is different so Splunk doesn't recognize the client ip addresses even though they're there and I have to format a report on the top 50 ip addresses, but I am not sure how to go about extracting them? Or if I need to add a new field?

As well, I had to format a list of the top 50 error types and it turned out that there were only 10 error types that covered all the log. But, when I went to record the count, when I added them all up, there was more than Splunk is showing as the count of the whole log file. I have double and triple checked, isolated each of the events and adding them up and even excluding one event and checking to see the amount left over. I can't seem to figure out what could be wrong.

Tags (1)
0 Karma

MHibbin
Influencer

Any example for the raw events containing the IP address. At a basic level, the following regex will pick up IP addresses in dotted decimal format (e.g. 192.168.0.2)

(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

There is a more specific regex, as this would pick up subnet masks (e.g. 255.255.255.0) if they exist.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...