Hi!
need to edit existing fields using regex as its not giving proper values.
e.g. there is field called "IP" (auto extracted ) its have IP address with some other values. so need to remove extra values apart from ip address.
Please suggest.
The regex
command is a search filtering command, not a field creating/parsing command. You need to use rex
for that.
Splunk can do it easily during search time. Please find regex for various IP address types
| makeresults
| eval mixedIP="10.0.0.1:8000"
| rex field=mixedIP "(?<ipv4>(?:[0-9]{1,3}\.){3}[0-9]{1,3})"
..
You can always use the rex
command to create/modify a field that is always extracted. For example:
| makeresults
| eval IP="10.0.0.1:9997"
| rex field=IP "(?<myIP>[\d.]+)"
will result in myIP
containing just the IP, and not the port from the IP
field.
For future reference, it is always best to give some example data with your question so that it is easier to help answer you particular problem.