Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field from my raw data using rex?

alexspunkshell
Contributor
‎05-16-2022 11:45 AM

In my splunk logs, i have 2 IPs in 1 field name.

I want to extract both IPs create a new field as IP1 & IP2. Please help here.

The user XYZ was involved in an impossible travel incident. The user connected from two countries within 280 minutes, from these IP addresses: United States (205.000.000.0) and Italy (37.000.000.00). If any of these IP addresses are used by the organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.

 

Example

IP1 - 205.000.000.0

IP2 - 37.000.000.00

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2022 11:30 PM

Hi @alexspunkshell,

if you could share a sample of your logs I could be more detailed in my answer,

anyway, you have two choices:

  • if you want to maintain separates IPs you have to find two different regexes, identifying something as difference,
  • if you're not interested to have different field names for the two IPs, you could use the same regex.

in the first case, try something like this:

your_search
| rex "IP\s+addresses:\s+(?<IP1>\d+\.\d+\.\d+\.\d+).*(?<IP2>\d+\.\d+\.\d+\.\d+)"

if you want also the country associated to each IP, you could use something like this (similar to @etoombs solution) :

your_search
| rex "IP\s+addresses:\s+(?<Country1>[^\(]+)\((?<IP1>\d+\.\d+\.\d+\.\d+).*(?<Country2>[^\(]+)\((?<IP2>\d+\.\d+\.\d+\.\d+)"

I prefer the following solution:

your_search
| rex "(?<Country>[^\(]+)\((?<IP>\d+\.\d+\.\d+\.\d+)"

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2022 11:30 PM

Hi @alexspunkshell,

if you could share a sample of your logs I could be more detailed in my answer,

anyway, you have two choices:

  • if you want to maintain separates IPs you have to find two different regexes, identifying something as difference,
  • if you're not interested to have different field names for the two IPs, you could use the same regex.

in the first case, try something like this:

your_search
| rex "IP\s+addresses:\s+(?<IP1>\d+\.\d+\.\d+\.\d+).*(?<IP2>\d+\.\d+\.\d+\.\d+)"

if you want also the country associated to each IP, you could use something like this (similar to @etoombs solution) :

your_search
| rex "IP\s+addresses:\s+(?<Country1>[^\(]+)\((?<IP1>\d+\.\d+\.\d+\.\d+).*(?<Country2>[^\(]+)\((?<IP2>\d+\.\d+\.\d+\.\d+)"

I prefer the following solution:

your_search
| rex "(?<Country>[^\(]+)\((?<IP>\d+\.\d+\.\d+\.\d+)"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

etoombs
Path Finder
‎05-16-2022 12:37 PM

If your raw data is always in exactly that format,  |rex field=_raw "IP addresses: (?<Country1>.*)\((?<IP1>.*) and (?<Country2>.*)\((?<IP2>.*)\)"

There's probably a more precise way that would be less error prone, but this might get you started.

Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...