Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to filter ipv6 addresses and keep only ipv4?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
04-14-2021
12:34 AM
Hi,
We have a lookup file with some ip addresses. It could be in IPv4 or IPv6 format. There is also could be one or multiple ip addresses. Something like that:
asset_name | ip
asset_1 | 123.34.43.12, 2a01:bc02:3d:4500:e6f
asset_2 | fe98::7d65:cb43:211a:12bc, 12.56.123.78
asset_3 |
asset_4 | 45.123.98.76
asset_5 | ab12::3456:cd78:9e11:12ab
asset_6 | 234.123.91.82, 67.12.123.54
We’d like to keep only IPv4 addresses, so the final result should look like that:
asset_name | ip
asset_1 | 123.34.43.12
asset_2 | 12.56.123.78
asset_3 |
asset_4 | 45.123.98.76
asset_5 |
asset_6 | 234.123.91.82, 67.12.123.54
Do you have an idea how we can implement this type of filtering?
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maciep
Champion
04-14-2021
05:42 AM
I think you can use mvfilter here....something like this (untested)
| inputlookup <your_lookup>
| eval ip = split(ip,",")
| eval ip = mvfilter(match(ip,"\d+\.\d+\.\d+\.\d+"))
| eval ip = mvjoin(ip,",")
| outputlookup <your_lookup>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maciep
Champion
04-14-2021
05:42 AM
I think you can use mvfilter here....something like this (untested)
| inputlookup <your_lookup>
| eval ip = split(ip,",")
| eval ip = mvfilter(match(ip,"\d+\.\d+\.\d+\.\d+"))
| eval ip = mvjoin(ip,",")
| outputlookup <your_lookup>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
04-14-2021
11:54 PM
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...
Calling All Security Pros: Ready to Race Through Boston?
Hey Splunkers,
.conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...
