I have a lot of events indexed which contain the following line:
|ip="0.0.0.0" foo="bar" ip="22.214.171.124" timestamp="2014-08-18 06:30:33 UTC"
The first "ip" value is "wrong" value and the second should be used only. How do I search/extract the second ip value and discard the first?
Assuming your "0.0.0.0" is that "wrong" value you want to avoid (and that's not just a placeholder you put in here), why not try using a regex to match IP addresses that aren't 0.0.0.0?
Even if 0.0.0.0 isn't actually the value that you're trying to avoid, a regex could probably help you extract the second address, anyway.
The docs for spunk's regex function even include a couple of ip-address matching examples you might be able to adapt: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/regex