Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me build a regex that extracts an IP Address from a log message?

gokikrishnan198
New Member
‎11-15-2018 07:07 PM

How do I extract an IP address from a log message using regex? All the four octets need to be pulled at a time,

rex field=LogMsg "Ip Address :(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

Not sure, \d{1,3}, why 1 is being used here. But the above query did not work.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 06:18 AM

The \d{1,3} means at least one digit, at most 3 digits. Which is sensible for IP octets. I don't see an obvious reason why the regex would't work. At least the part capturing the IP address looks OK to me (assuming you had something like <ip> after the ?. See also: https://regex101.com/r/U5bog1/1

Are you sure the field name specified is ok? Are you sure the "Ip Address :" part is OK? Perhaps share some sample data.

PS: a . matches anything in a regex. So also a literal .. A safer regex would be: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) which only matches digits separated by literal . characters.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ashwinm
Explorer
‎11-16-2018 02:05 PM

The d{1,3} is used to denote that there might be min of 1 digit and max of 3 digits , when it comes to IP's we know the range can be from 0 to 255. So best practise is to use " d{1,3}.\d{1,3}.\d{1,3}.\d{1,3} ". In your case error might be with the fieldname.,

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 06:18 AM

The \d{1,3} means at least one digit, at most 3 digits. Which is sensible for IP octets. I don't see an obvious reason why the regex would't work. At least the part capturing the IP address looks OK to me (assuming you had something like <ip> after the ?. See also: https://regex101.com/r/U5bog1/1

Are you sure the field name specified is ok? Are you sure the "Ip Address :" part is OK? Perhaps share some sample data.

PS: a . matches anything in a regex. So also a literal .. A safer regex would be: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) which only matches digits separated by literal . characters.

0 Karma
Reply
Solved! Jump to solution

gokikrishnan198
New Member
‎11-20-2018 09:26 PM

Thanks. It was perfect.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...