Solved: Re: How to create a regex to extract the first IP ...

reverse · ‎06-12-2019

There are multiple ip addresses in a raw event line and I only need the first one
How can I achieve that?

192.168.0.1 -192.168.0.5 gcgh 192.168.0.7gcgh 192.168.0.7 gcgh 192.168.0.8 gcgh 192.168.0.9 gcgh

felipesewaybric · ‎06-12-2019

Something like that:

([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/*\d*).+

jazzypai · ‎06-12-2019

Adding context for anyone coming here for answers.

Assuming msg is the field name, the following would result in the first IP found

| makeresults  
| eval msg = "192.128.22.2 202.134.55.89" 
| rex field=msg "(?<firstip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

If additional IPs needed to be extracted then a max_match = # could be added to the rex line.

felipesewaybric · ‎06-12-2019

Something like that:

([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/*\d*).+

reverse · ‎06-12-2019

worked by removing .+ at the end ...

reverse · ‎06-12-2019

How to create a regex to extract the first IP address from multiple IP addresses in an event line?