Solved: Re: How to extract only IP's from text?

harishnpandey · ‎08-14-2018

trans(776800911)[10.173.36.75]: Request processing failed: Network Error, from URL: 10.173.36.73:57743
trans(776800912)[10.173.36.75]: Request processing failed: Network Error, from URL: 10.173.36.74:57743
trans(776800913)[10.173.36.75]: Request processing failed: Network Error, from URL: 10.173.36.75:57743

somesoni2 · ‎08-14-2018

Try like this

If this is to be extracted from raw data (_raw field),

your search 
| rex "URL\:\s*(?<IP_Address>\d+\.\d+\.\d+\.\d+)"

If this is to be extracted from some other field (for example from field name "Message"),

your search 
| rex field=Message "URL\:\s*(?<IP_Address>\d+\.\d+\.\d+\.\d+)"

View solution in original post

harishnpandey · ‎08-14-2018

Could you please explain how this works ==> \s*(?\d+.\d+.\d+.\d+)

jkat54 · ‎08-14-2018

See regex101.com

 \s = space
 \d+ = any number of digits
 \. = dot

This regex could identify non-ip addresses too. For example, it would match 1234.5678.9012.34567890 too, which is clearly not an up address.

harishnpandey · ‎08-14-2018

Thanks a lot for quick response. It really helps

somesoni2 · ‎08-14-2018

Try like this

If this is to be extracted from raw data (_raw field),

your search 
| rex "URL\:\s*(?<IP_Address>\d+\.\d+\.\d+\.\d+)"

If this is to be extracted from some other field (for example from field name "Message"),

your search 
| rex field=Message "URL\:\s*(?<IP_Address>\d+\.\d+\.\d+\.\d+)"

How to extract only IP's from text?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!