Splunk Search

How to get ip objects from a Splunk list?

splunknewuser
Loves-to-Learn Everything

Hello, 

I have an output list like this one:

 

 

 

{
    "10.10.10.15": {
    "High": [
      {
        "name": "vu1",
        "nvt_id": "123",
        "port": "",
        "protocol": ""
      }
    ],
    "Medium": [],
    "Low": [],
    "Log": [],
    "False Positive": []
  },
  "10.10.10.24": {
    "High": [
      {
        "name": "vul",
        "nvt_id": "123",
        "port": "",
        "protocol": ""
      }
    ],
    "Medium": [],
    "Low": [],
    "Log": [],
    "False Positive": []
  }
}

 

 

 

I want to get All the IP address and extract the fields in each object.

Labels (1)
Tags (1)
0 Karma

splunknewuser
Loves-to-Learn Everything

I tried to use rex to get the ip addresses:

rex "(?<IP_add>10\.([0-9]{1,3}.){2}[0-9]{1,3})" | table "IP_add".High{}.name

Is it possible to fetch the values of the array using the rex output like that:

rex "(?<ip_add>10\.([0-9]{1,3}.){2}[0-9]{1,3})" | table ip_add.High{}.name

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunknewuser,

if you ise IP-Add as field name, you have to contniue to use it, if you want a different field name, youcan rename it, but you cannot extract a field called IP_add and the in the table use a different one " ip_add.High{}.name".

then it isn't a good idea to have spaces or special chars (like . or {}) in field names.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust
0 Karma

splunknewuser
Loves-to-Learn Everything

I tried it but the issue is that the ip has now key?

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...