index="testd" | rex field=_raw "Remote host:(?.*):" |dedup Remotehost |stats count by Remotehost
My events:
Remote host:
2.136.12.186
:34126]@684574 useCount=1 bytesRead=0 bytesWritten=2994631 age=163708ms lastIO=5ms ))).onExceptionWrite exception
Expected output:
2.136.12.186
Thanks in advance
Can you please post search code and event strings as code (use the 101010 button in the editor), otherwise some parts will get messed up due to how the board handles certain special characters.
In general, to strictly extract an IP address, use a regex like this: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
So for you example, you should probably use something like:
index="testd" | rex field=_raw "Remote host:(?<Remotehost>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
There is literally a million valid regexes on the Internet to extract IP addresses.
Assuming the following:
You could use this regex: ^((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Can you please post search code and event strings as code (use the 101010 button in the editor), otherwise some parts will get messed up due to how the board handles certain special characters.
In general, to strictly extract an IP address, use a regex like this: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
So for you example, you should probably use something like:
index="testd" | rex field=_raw "Remote host:(?<Remotehost>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Hi
try with this regex
index="testd"
| rex "(?ms)Remote host:\s+(?<Remotehost>\d+\.\d+\.\d+\.\d+)"
| dedup Remotehost
| stats count by Remotehost
that you can test at https://regex101.com/r/NZkwci/2
Only one question: why do you dedup by Remotehost and then use stats count? result will be always 1!
Bye.
Giuseppe
I created a Splunk Macros for regular expressions for IPv4 addresses.
Definitions and usages are in an article below.
https://qiita.com/Joh256/private/659ef65897905890ef99.
I also put them in an add-on below.
https://splunkbase.splunk.com/app/6595