Splunk Search

Extract part of a field

Engager

Within my Proxy server logs, I have a field (src_ip) and I would like to only get the first 3 octets of the address.

1286536308.779    180 192.168.0.224 TCP_MISS/200 411 GET http://liveupdate.symantecliveupdate.com/minitri.flg - DIRECT/125.23.216.203 text/plain
1286536308.910     37 192.168.0.224 TCP_MISS/200 4083 GET http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1... - DIRECT/125.23.216.203 application/zip
1286536309.450    917 192.168.0.227 TCP_MISS/200 20670 GET http://www.youtube.com/watch? - DIRECT/209.85.231.136 text/html
1286536309.549    172 192.168.0.227 TCP_MISS/204 294 GET http://v15.lscache3.c.youtube.com/generate_204? - DIRECT/122.160.120.150 text/html

What I would to get back from something like this, is just...

192.168.0

Is this possible?

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

You can use the rex command:

... | rex field=src_ip "(?<ip_start>\d+\.\d+\.\d+)"

There will now be a field called ip_start which will have the first 3 octets of the ip address.

View solution in original post

Splunk Employee
Splunk Employee

You can use the rex command:

... | rex field=src_ip "(?<ip_start>\d+\.\d+\.\d+)"

There will now be a field called ip_start which will have the first 3 octets of the ip address.

View solution in original post

Engager

Very slick. Thank you!

0 Karma

Path Finder
0 Karma