Splunk Search

How to edit regex for existing fields

jas0049
New Member

Hi!
need to edit existing fields using regex as its not giving proper values.
e.g. there is field called "IP" (auto extracted ) its have IP address with some other values. so need to remove extra values apart from ip address.
Please suggest.

0 Karma

woodcock
Esteemed Legend

The regex command is a search filtering command, not a field creating/parsing command. You need to use rex for that.

0 Karma

koshyk
Super Champion

Splunk can do it easily during search time. Please find regex for various IP address types

 | makeresults
 | eval mixedIP="10.0.0.1:8000"
 | rex field=mixedIP "(?<ipv4>(?:[0-9]{1,3}\.){3}[0-9]{1,3})"

..

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You can always use the rex command to create/modify a field that is always extracted. For example:

| makeresults
| eval IP="10.0.0.1:9997"
| rex field=IP "(?<myIP>[\d.]+)"

will result in myIP containing just the IP, and not the port from the IP field.

For future reference, it is always best to give some example data with your question so that it is easier to help answer you particular problem.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...