Splunk Search

How to filter ipv6 addresses and keep only ipv4?

woodentree
Communicator

Hi,


We have a lookup file with some ip addresses. It could be in IPv4 or IPv6 format. There is also could be one or multiple ip addresses. Something like that:

asset_name | ip
asset_1    | 123.34.43.12, 2a01:bc02:3d:4500:e6f
asset_2    | fe98::7d65:cb43:211a:12bc, 12.56.123.78
asset_3    | 
asset_4    | 45.123.98.76
asset_5    | ab12::3456:cd78:9e11:12ab
asset_6    | 234.123.91.82, 67.12.123.54


We’d like to keep only IPv4 addresses, so the final result should look like that:

asset_name | ip
asset_1    | 123.34.43.12
asset_2    | 12.56.123.78
asset_3    | 
asset_4    | 45.123.98.76
asset_5    | 
asset_6    | 234.123.91.82, 67.12.123.54


Do you have an idea how we can implement this type of filtering?
Thanks.

Labels (1)
Tags (3)
0 Karma
1 Solution

maciep
Champion

I think you can use mvfilter here....something like this (untested)

| inputlookup <your_lookup>
| eval ip = split(ip,",")
| eval ip = mvfilter(match(ip,"\d+\.\d+\.\d+\.\d+"))
| eval ip = mvjoin(ip,",")
| outputlookup <your_lookup>

View solution in original post

maciep
Champion

I think you can use mvfilter here....something like this (untested)

| inputlookup <your_lookup>
| eval ip = split(ip,",")
| eval ip = mvfilter(match(ip,"\d+\.\d+\.\d+\.\d+"))
| eval ip = mvjoin(ip,",")
| outputlookup <your_lookup>

woodentree
Communicator

Hi @maciep 

Perfect! It works great.

Thanks for the help.

Get Updates on the Splunk Community!

Introducing the Splunk Developer Program!

Hey Splunk community!  We are excited to announce that Splunk is launching the Splunk Developer Program in ...

Splunkbase Year in Review 2024

Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...