Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract only the first three octets of the IP address instead of the whole address?

samble
Path Finder
‎08-28-2017 05:55 AM

I have the below command to extract the top 100 IP addresses. How can I modify the search to extract only the first three octets of the IP address instead of the whole address?

sourcetype="cisco:asa" | top limit=100 src_ip
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-28-2017 06:05 AM

You could use the rex command to extract the first 3 octets into another field and do the top on the new field:

sourcetype="cisco:asa"
| rex field=src_ip "(?<firstthree>\d+)\.\d+\.\d+\.\d+" 
| top limit=100 firstthree

View solution in original post

Reply
Solved! Jump to solution

jpolvino
Builder
‎08-09-2019 10:43 AM

If you have a field named src_ip that has the full 4-octet IP address, here is one way to modify it in-situ:

| rex field=src_ip mode=sed "/(\d{1,3}\.\d{1,3}\.\d{1,3}).*/\1/g"

This groups the first 3 octets as "group 1" and then replaces the whole field with that group, shown as \1. It also puts a little enforcement on the format of the octets, being a group of 1, 2, or 3 digits.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-19-2018 05:49 PM

Another way to do

.. | rex field=src_ip "(?<firstthree>.+)\.[0-9]+"
Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-28-2017 06:05 AM

You could use the rex command to extract the first 3 octets into another field and do the top on the new field:

sourcetype="cisco:asa"
| rex field=src_ip "(?<firstthree>\d+)\.\d+\.\d+\.\d+" 
| top limit=100 firstthree
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-28-2017 08:22 AM

Hmmm, looks like your rex should be rex field=src_ip "(?<firstthree>\d+\.\d+\.\d+)\.\d+" instead.

Reply
Solved! Jump to solution

samble
Path Finder
‎08-28-2017 11:55 AM

Thanks. After doing the search I realized that and changed it to

rex field=src_ip "(?\d+.\d+.\d+).\d+"

Thanks for pointing out the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...