Splunk Enterprise

How to parse the ip_address out of the raw event?

Path Finder

Hi everyone!

Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command.

The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception: Error from server at https://pimcv.sps.g:443/sor: Failed handshake due to exhausted 12 seconds timeout on channel [id: 0x2c132bc6, L:/ - R:/].

Can somebody help do this please!

Labels (1)
0 Karma

Path Finder

Sorry for that, the IP address I want to extract is the ipR:/

Thanks richgalloway!

0 Karma


You don't say which IP address you want to extract so this regex should get both of them.

| rex "L:\/(?<ipL>[^:]+)\s-\sR:\/(?<ipR>[^:]+)"

It looks for the "L:/" eyecatcher and puts everything up to the next colon (:) into field "ipL" then it does the same thing with "R:/".

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...