Solved: Re: How to extract only the first three octets of ...

samble · ‎08-28-2017

I have the below command to extract the top 100 IP addresses. How can I modify the search to extract only the first three octets of the IP address instead of the whole address?

sourcetype="cisco:asa" | top limit=100 src_ip

kmorris_splunk · ‎08-28-2017

You could use the rex command to extract the first 3 octets into another field and do the top on the new field:

sourcetype="cisco:asa"
| rex field=src_ip "(?<firstthree>\d+)\.\d+\.\d+\.\d+" 
| top limit=100 firstthree

View solution in original post

jpolvino · ‎08-09-2019

If you have a field named src_ip that has the full 4-octet IP address, here is one way to modify it in-situ:

| rex field=src_ip mode=sed "/(\d{1,3}\.\d{1,3}\.\d{1,3}).*/\1/g"

This groups the first 3 octets as "group 1" and then replaces the whole field with that group, shown as \1. It also puts a little enforcement on the format of the octets, being a group of 1, 2, or 3 digits.

jawaharas · ‎08-19-2018

Another way to do

.. | rex field=src_ip "(?<firstthree>.+)\.[0-9]+"

kmorris_splunk · ‎08-28-2017

You could use the rex command to extract the first 3 octets into another field and do the top on the new field:

sourcetype="cisco:asa"
| rex field=src_ip "(?<firstthree>\d+)\.\d+\.\d+\.\d+" 
| top limit=100 firstthree

s2_splunk · ‎08-28-2017

Hmmm, looks like your rex should be rex field=src_ip "(?<firstthree>\d+\.\d+\.\d+)\.\d+" instead.

samble · ‎08-28-2017

Thanks. After doing the search I realized that and changed it to

rex field=src_ip "(?\d+.\d+.\d+).\d+"

Thanks for pointing out the same.

How to extract only the first three octets of the IP address instead of the whole address?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?