Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me build a regex that extracts an IP Address from a log message?

gokikrishnan198
New Member
‎11-15-2018 07:07 PM

How do I extract an IP address from a log message using regex? All the four octets need to be pulled at a time,

rex field=LogMsg "Ip Address :(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

Not sure, \d{1,3}, why 1 is being used here. But the above query did not work.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 06:18 AM

The \d{1,3} means at least one digit, at most 3 digits. Which is sensible for IP octets. I don't see an obvious reason why the regex would't work. At least the part capturing the IP address looks OK to me (assuming you had something like <ip> after the ?. See also: https://regex101.com/r/U5bog1/1

Are you sure the field name specified is ok? Are you sure the "Ip Address :" part is OK? Perhaps share some sample data.

PS: a . matches anything in a regex. So also a literal .. A safer regex would be: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) which only matches digits separated by literal . characters.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ashwinm
Explorer
‎11-16-2018 02:05 PM

The d{1,3} is used to denote that there might be min of 1 digit and max of 3 digits , when it comes to IP's we know the range can be from 0 to 255. So best practise is to use " d{1,3}.\d{1,3}.\d{1,3}.\d{1,3} ". In your case error might be with the fieldname.,

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-16-2018 06:18 AM

The \d{1,3} means at least one digit, at most 3 digits. Which is sensible for IP octets. I don't see an obvious reason why the regex would't work. At least the part capturing the IP address looks OK to me (assuming you had something like <ip> after the ?. See also: https://regex101.com/r/U5bog1/1

Are you sure the field name specified is ok? Are you sure the "Ip Address :" part is OK? Perhaps share some sample data.

PS: a . matches anything in a regex. So also a literal .. A safer regex would be: (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) which only matches digits separated by literal . characters.

0 Karma
Reply
Solved! Jump to solution

gokikrishnan198
New Member
‎11-20-2018 09:26 PM

Thanks. It was perfect.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...