How to edit regex for existing fields

jas0049 · ‎05-27-2019

Hi!
need to edit existing fields using regex as its not giving proper values.
e.g. there is field called "IP" (auto extracted ) its have IP address with some other values. so need to remove extra values apart from ip address.
Please suggest.

woodcock · ‎05-27-2019

The regex command is a search filtering command, not a field creating/parsing command. You need to use rex for that.

koshyk · ‎05-27-2019

Splunk can do it easily during search time. Please find regex for various IP address types

 | makeresults
 | eval mixedIP="10.0.0.1:8000"
 | rex field=mixedIP "(?<ipv4>(?:[0-9]{1,3}\.){3}[0-9]{1,3})"

..

cpetterborg · ‎05-27-2019

You can always use the rex command to create/modify a field that is always extracted. For example:

| makeresults
| eval IP="10.0.0.1:9997"
| rex field=IP "(?<myIP>[\d.]+)"

will result in myIP containing just the IP, and not the port from the IP field.

For future reference, it is always best to give some example data with your question so that it is easier to help answer you particular problem.

How to edit regex for existing fields

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

How to edit regex for existing fields

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?