Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse the ip_address out of the raw event?

majilan1
Path Finder
‎07-12-2022 12:27 PM

Hi everyone!

Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command.

The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception: Error from server at https://pimcv.sps.g:443/sor: Failed handshake due to exhausted 12 seconds timeout on channel [id: 0x2c132bc6, L:/56.201.42.175:42 - R:/56.201.45.41:86].

Can somebody help do this please!

Labels (1)
Labels
0 Karma
Reply

majilan1
Path Finder
‎07-12-2022 06:31 PM

Sorry for that, the IP address I want to extract is the ipR:/56.201.45.41:8609.

Thanks richgalloway!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2022 01:28 PM

You don't say which IP address you want to extract so this regex should get both of them.

| rex "L:\/(?<ipL>[^:]+)\s-\sR:\/(?<ipR>[^:]+)"

It looks for the "L:/" eyecatcher and puts everything up to the next colon (:) into field "ipL" then it does the same thing with "R:/".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...