Solved: Re: How to retrieve unique IP address from access ...

veeru_irf · ‎05-06-2014

HI
I am trying to extract Unique IP address from access log to determine the user load.

My request looks like as below
- - [01/May/2014:08:59:49 -0700] POST /connect/group/home/support-query1?p_p_id=myexample_WAR_dsp&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_cacheability=cacheLevelPage&p_p_col_id=column-1&p_p_col_count=1&action=dispatch HTTP/1.0 200 126 05507 5164

MuS · ‎05-06-2014

Hi veeru_irf,

try something like this:

your base search here | rex "^(?<myIP>(\d+\.){3}(\d+))" | table myIP

If this matches, you can set it up as automatic field extraction so it will be extracted by Splunk directly.
Also here is a nice little page where you can test regex stuff

hope this helps to get you started ...

cheers, MuS

View solution in original post

MuS · ‎05-06-2014

Hi veeru_irf,

try something like this:

your base search here | rex "^(?<myIP>(\d+\.){3}(\d+))" | table myIP

If this matches, you can set it up as automatic field extraction so it will be extracted by Splunk directly.
Also here is a nice little page where you can test regex stuff

hope this helps to get you started ...

cheers, MuS

veeru_irf · ‎05-08-2014

thnx.. It worked

veeru_irf · ‎05-06-2014

Sorry missed out initial part
205.140.227.154 - - [01/May/2014:08:59:49 -0700] POST /connect/group/home/support-query1?p_p_id=myexample_WAR_dsp&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_cacheability=cacheLevelPage&p_p_col_id=column-1&p_p_col_count=1&action=dispatch HTTP/1.0 200 126 05507 5164

MuS · ‎05-06-2014

There is no IP in this log? Does your web server log the IP's for requests at all?

How to retrieve unique IP address from access log through splunk ?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann