Hey Guys,
I have the following output:
Server: abc-ij-qwerty88.asdf.xyz.com Address: 10.10.254.97 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. Name: google.com Address: 172.217.20.46
I'd like to extract the Last IP from the string.
I tried the following search with rex, but it returns a blank result:
.... | rex field=_raw "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$)" | table ip_address
Where did I go wrong?
Your help is appreciated. Thanks!
There's probably a LF at the end. Try this
... | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[\n\t\s]$" | ...
just move the "$" outside the rex match.
.... | rex field=_raw "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address
Thanks for your help! This didn't work, but the inclusion of [\n\t\s] at the end (1st answer) worked for me. Thanks again for your help.
There's probably a LF at the end. Try this
... | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[\n\t\s]$" | ...
Thank you! This worked for me. What did you mean by an "LF" at the end?
Line feed. or line break
you did not put the name of the tag ?<ip_address>
which you are tabl(ing)
.... | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address
Sorry, yeah I did use the tag but somehow forgot it when making this post. I tried your query but it produced the same blank results. The first answer solved my issue. Thanks!
You were almost there. Use like this
.... | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address
I had tried this earlier, but it didn't work for me. Thanks for taking the time to help me!