Solved: How do I remove certain IP addresses with only 3 o...

luongg · ‎07-20-2016

I have a file that contains a list of IP addresses (Some that are full IPv4 and some that only have an IP with the first 3 octets). I was able to upload the file into Splunk as a lookup file and search for it to display it on Splunk Web. Assuming that I have one column with a mixture of IP addresses that are either IPv4 (Ex: 10.4.123.11) or IPv4 with only the first 3 octets showing (Ex: 10.1.236). Is there an easy way to remove any IP address entries that only have the 3 octets?

somesoni2 · ‎07-20-2016

Not sure if I get the requirement completely. But give this a try.

| inputlookup yourlookup.csv | regex yourIpfield!="^\d+\.\d+\.\d+$"

View solution in original post

Raschko · ‎07-20-2016

You could use a regex on the IP field, like:

your search | regex ipfield="^(?!\d{1,3}\.\d{1,3}\.\d{1,3}$)"

somesoni2 · ‎07-20-2016

Not sure if I get the requirement completely. But give this a try.

| inputlookup yourlookup.csv | regex yourIpfield!="^\d+\.\d+\.\d+$"

luongg · ‎07-20-2016

This worked out perfectly. Thanks for the help!

How do I remove certain IP addresses with only 3 octets in the Search app?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio