Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract IP and port using regex in Splunk Cloud?

harishnpandey
Explorer
‎10-02-2018 08:21 AM

Hi ,

May I please get some help on extracting

1) IP only
2) IP and corresponding port together

Connection terminated before request headers read because of the connection error that occurs, from URL: 10.197.64.27:50421

Appreciate your help on this in advance

Thanks & regards,
Harish

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎10-02-2018 08:37 AM

Hi @harishpandey,

Please try below query, below regex will extract IP and Port in different fields.

<yourBaseSearch> | rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:(?<port>\d+)"

If you want IP and port together try below query

<yourBaseSearch> | rex field=_raw "(?<ip_port>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d+)"

For IP address only

<yourBaseSearch> | rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

View solution in original post

Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-02-2018 09:14 AM

Hi,

For IP and Port use this 

 rex field=str "URL: (?<IP>\S+)"

For eg:
| makeresults| eval str="Connection terminated before request headers read because of the connection error occurs, from URL: 10.197.64.27:50421" | rex field=str "URL: (?\S+)"

For only IP

rex field=str "URL: (?<IP>\S+):\d+"
0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎10-02-2018 08:37 AM

Hi @harishpandey,

Please try below query, below regex will extract IP and Port in different fields.

<yourBaseSearch> | rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:(?<port>\d+)"

If you want IP and port together try below query

<yourBaseSearch> | rex field=_raw "(?<ip_port>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d+)"

For IP address only

<yourBaseSearch> | rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Reply
Solved! Jump to solution

harishnpandey
Explorer
‎10-02-2018 09:08 AM

Thanks for your reply @harsmarvania57

However, I was trying with keyword URL: while extracting IP field so that I can limit my IP search that starts with URL: and ignore all other IP's

index=datapower | rex field=_raw URL:"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"| stats count by ip|sort -count aesc

But, above one did not work 😞

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-02-2018 09:26 AM

Try this 

index=datapower | rex field=_raw "URL\:\s(?<ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"| stats count by ip|sort -count
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top