Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse the ip_address out of the raw event?

majilan1
Path Finder
‎07-12-2022 12:27 PM

Hi everyone!

Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command.

The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception: Error from server at https://pimcv.sps.g:443/sor: Failed handshake due to exhausted 12 seconds timeout on channel [id: 0x2c132bc6, L:/56.201.42.175:42 - R:/56.201.45.41:86].

Can somebody help do this please!

Labels (1)
Labels
0 Karma
Reply

majilan1
Path Finder
‎07-12-2022 06:31 PM

Sorry for that, the IP address I want to extract is the ipR:/56.201.45.41:8609.

Thanks richgalloway!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2022 01:28 PM

You don't say which IP address you want to extract so this regex should get both of them.

| rex "L:\/(?<ipL>[^:]+)\s-\sR:\/(?<ipR>[^:]+)"

It looks for the "L:/" eyecatcher and puts everything up to the next colon (:) into field "ipL" then it does the same thing with "R:/".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...