Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get ip objects from a Splunk list?

splunknewuser
Loves-to-Learn Everything
‎09-22-2022 12:37 AM

Hello, 

I have an output list like this one:

 

 

 

{
    "10.10.10.15": {
    "High": [
      {
        "name": "vu1",
        "nvt_id": "123",
        "port": "",
        "protocol": ""
      }
    ],
    "Medium": [],
    "Low": [],
    "Log": [],
    "False Positive": []
  },
  "10.10.10.24": {
    "High": [
      {
        "name": "vul",
        "nvt_id": "123",
        "port": "",
        "protocol": ""
      }
    ],
    "Medium": [],
    "Low": [],
    "Log": [],
    "False Positive": []
  }
}

 

 

 

I want to get All the IP address and extract the fields in each object.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

splunknewuser
Loves-to-Learn Everything
‎09-29-2022 01:48 AM

I tried to use rex to get the ip addresses:

rex "(?<IP_add>10\.([0-9]{1,3}.){2}[0-9]{1,3})" | table "IP_add".High{}.name

Is it possible to fetch the values of the array using the rex output like that:

rex "(?<ip_add>10\.([0-9]{1,3}.){2}[0-9]{1,3})" | table ip_add.High{}.name

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-29-2022 02:05 AM

Hi @splunknewuser,

if you ise IP-Add as field name, you have to contniue to use it, if you want a different field name, youcan rename it, but you cannot extract a field called IP_add and the in the table use a different one " ip_add.High{}.name".

then it isn't a good idea to have spaces or special chars (like . or {}) in field names.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-22-2022 01:13 AM

Hi @splunknewuser,

did you tried with the spath command (https://docs.splunk.com/Documentation/SplunkCloud/9.0.2205/SearchReference/Spath)?

Ciao.

Giuseppe

0 Karma
Reply

splunknewuser
Loves-to-Learn Everything
‎09-29-2022 12:33 AM

I tried it but the issue is that the ip has now key?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...