Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my regular expression to extract t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bakalon
Explorer
10-25-2016
12:19 PM
Hey Guys,
I have the following output:
Server: abc-ij-qwerty88.asdf.xyz.com Address: 10.10.254.97 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. Name: google.com Address: 172.217.20.46
I'd like to extract the Last IP from the string.
I tried the following search with rex, but it returns a blank result:
.... | rex field=_raw "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$)" | table ip_address
Where did I go wrong?
Your help is appreciated. Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-25-2016
12:34 PM
There's probably a LF at the end. Try this
... | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[\n\t\s]$" | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
10-25-2016
12:38 PM
just move the "$" outside the rex match.
- Rex match should be inside parentheses "(.....)",
- and to position the rex match, we can use this anchor "$", (which means at the end of line, ...opposite of "^" - beginning of the line)
.... | rex field=_raw "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bakalon
Explorer
10-26-2016
04:37 AM
Thanks for your help! This didn't work, but the inclusion of [\n\t\s] at the end (1st answer) worked for me. Thanks again for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-25-2016
12:34 PM
There's probably a LF at the end. Try this
... | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[\n\t\s]$" | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bakalon
Explorer
10-26-2016
04:34 AM
Thank you! This worked for me. What did you mean by an "LF" at the end?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-26-2016
04:39 AM
Line feed. or line break
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
10-25-2016
12:29 PM
you did not put the name of the tag ?<ip_address> which you are tabl(ing)
.... | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bakalon
Explorer
10-26-2016
04:35 AM
Sorry, yeah I did use the tag but somehow forgot it when making this post. I tried your query but it produced the same blank results. The first answer solved my issue. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-25-2016
12:29 PM
You were almost there. Use like this
.... | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$" | table ip_address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bakalon
Explorer
10-26-2016
04:35 AM
I had tried this earlier, but it didn't work for me. Thanks for taking the time to help me!
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
