grabbing IP from ssh auth log

New Member

Hi there, new to splunk.

I have some records that take two different forms (both denote ssh login failed). I want to make a chart of the top offending remote IP addresses, Can I extract the IP in the same query from these strings even though they have a different number of words preceding it?

Mar 27 19:45:22 Mar 27 19:45:22 monitor-demo sshd[26449]: Failed password for root from port 2024 ssh2
Mar 27 19:45:22 Mar 27 19:45:22 monitor-demo sshd[26447]: Failed password for invalid user admin from port 2016 ssh2

Tags (2)
0 Karma


Hi kevinlong206,

you can do something like this if the IP is always after from and before port:

.... | rex field=_raw "from\s(?<theBadGuy>.+)\sport" | ....

or to make sure you only grab numbers

.... | rex field=_raw "from\s(?<theBadGuy>(\d+\.){3}\d+)\sport" | ...

this will create a new field called theBadGuy which can be used further.

hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...