Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract field from another field

lohit
Path Finder
‎05-24-2015 11:16 PM

Hi All,

I am having a field which has content like below

abc xyz sksk lsmlmlspmwmlmwpn wonmwm:29299 (abcxmmowmo.wsibi.w) X-Forwarded-For: xxx.xx.xxx.xxx xyz

Please note that there is a space between X-Forwarded-For:<space>xxx.xx.xxx.xxx

I want to extract the value of X-Forwarded-For: and then match it with a list of IPs from a lookup list and finally disregard those logs where this is a match.

PLease help !!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-24-2015 11:36 PM

Hi lohit,

you can use something like this:

your base search the get the field | rex field=TheFieldName "X-Forwarded-For:\s(?<myNew>.*)\s" | ....

This will create a new field called myNew.
Also take a look at this page https://regex101.com to learn and try regex and as well at the docs about the field extractor http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-24-2015 11:36 PM

Hi lohit,

you can use something like this:

your base search the get the field | rex field=TheFieldName "X-Forwarded-For:\s(?<myNew>.*)\s" | ....

This will create a new field called myNew.
Also take a look at this page https://regex101.com to learn and try regex and as well at the docs about the field extractor http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

lohit
Path Finder
‎05-24-2015 11:59 PM

Thanks MuS. I figured it out earlier but with a more complex regex.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-06-2015 09:36 AM

When you figure out your own answer, the proper thing to to is to answer your own question here and "Accept" your answer so that other people won't waste time trying to help you when you don't need it and so that others can be helped by your answer.

0 Karma
Reply
Solved! Jump to solution

lohit
Path Finder
‎06-06-2015 09:43 AM

Woodcock, if you can see i have already accepted MuS solution to be an answer. My reply was similar to MuS on that. Anywayz thanks for the suggestion.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...