Splunk Enterprise

How to parse the ip_address out of the raw event?

Path Finder

Hi everyone!

Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command.

The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception: Error from server at https://pimcv.sps.g:443/sor: Failed handshake due to exhausted 12 seconds timeout on channel [id: 0x2c132bc6, L:/ - R:/].

Can somebody help do this please!

Labels (1)
0 Karma

Path Finder

Sorry for that, the IP address I want to extract is the ipR:/

Thanks richgalloway!

0 Karma


You don't say which IP address you want to extract so this regex should get both of them.

| rex "L:\/(?<ipL>[^:]+)\s-\sR:\/(?<ipR>[^:]+)"

It looks for the "L:/" eyecatcher and puts everything up to the next colon (:) into field "ipL" then it does the same thing with "R:/".

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...