Solved: How to filter ipv6 addresses and keep only ipv4?

woodentree · ‎04-14-2021

Hi,

We have a lookup file with some ip addresses. It could be in IPv4 or IPv6 format. There is also could be one or multiple ip addresses. Something like that:

asset_name | ip
asset_1    | 123.34.43.12, 2a01:bc02:3d:4500:e6f
asset_2    | fe98::7d65:cb43:211a:12bc, 12.56.123.78
asset_3    | 
asset_4    | 45.123.98.76
asset_5    | ab12::3456:cd78:9e11:12ab
asset_6    | 234.123.91.82, 67.12.123.54

We’d like to keep only IPv4 addresses, so the final result should look like that:

asset_name | ip
asset_1    | 123.34.43.12
asset_2    | 12.56.123.78
asset_3    | 
asset_4    | 45.123.98.76
asset_5    | 
asset_6    | 234.123.91.82, 67.12.123.54

Do you have an idea how we can implement this type of filtering?
Thanks.

maciep · ‎04-14-2021

I think you can use mvfilter here....something like this (untested)

| inputlookup <your_lookup>
| eval ip = split(ip,",")
| eval ip = mvfilter(match(ip,"\d+\.\d+\.\d+\.\d+"))
| eval ip = mvjoin(ip,",")
| outputlookup <your_lookup>

View solution in original post

maciep · ‎04-14-2021

I think you can use mvfilter here....something like this (untested)

| inputlookup <your_lookup>
| eval ip = split(ip,",")
| eval ip = mvfilter(match(ip,"\d+\.\d+\.\d+\.\d+"))
| eval ip = mvjoin(ip,",")
| outputlookup <your_lookup>

woodentree · ‎04-14-2021

Hi @maciep

Perfect! It works great.

Thanks for the help.

How to filter ipv6 addresses and keep only ipv4?

lookup

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...