How to filter ip from url

saurav47 · ‎07-17-2022

Hi All,

i want to filter out url that contains IP , one way is i can write regex for it,, extract IP in other field and then i can filter out with that field, but here i want to save run time as well,, as i dont have fixed index,, i need to search all indexes that are having field url with ip address,, so i want to apply search first instead of extracting ips.

raw url formats are =http://1.1.1.1/, 1.1.1.1:443, http://1.1.1.1/xyc.co
i tried so far

(index=*) |fields url |where match )url, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\")

it is working but only showing url as 1.1.1.1:443, not rest formats.
any idea what can i do?

note: i dont want to write regex to extract IPs in new field first and than apply search (new field=*), it will work but query will take time as first it will search for all the urls,, then apply regex and then will apply filter.

bowesmana · ‎07-17-2022

You are anchoring the start of the string to match with ^

Try this example, where the regex matches an optional https at the start of the string

| makeresults
| eval url=split("http://1.1.1.1/,1.1.1.1:443,http://1.1.1.1/xyc.co,https://1.254.21.2221?q=abc,9.9.9.9.443", ",")
| mvexpand url
| where match(url, "(https?)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")

How to filter ip from url

other

using Splunk Enterprise

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?