I've been hoping to play around with some of the iplocation functionality and see if I could leverage it somehow, so I rooted around and found that most of my data is private addresses. That was to be expected, but as I dig around, I cannot seem to find any public addresses at all.
From there I thought it would be fairly simple to do a search across all my data for any public address, or at the very least any non-private (weed out the smaller set). It turns out that I cannot find an easy way of doing this. Regex sounds like it would be a good approach, but that alone as proven to be more complex than expected.
Since I'm looking to find a public IP in any location, which means I'm not specifying a source, sourcetype, or field. So I'm either using _raw with regex or index=* searches for IP addresses. Without regex, it becomes a bit of a bear because doing a NOT search without specifying a field (which I do not know) removes the whole event, which may also contain a public address.
I've found a couple regex online that match RFC 1918 addresses, but most use the /m flag in regex101 (m modifier: multi-line. Causes ^ and $ to match the begin/end of each line) which it looks like splunk does not use.