Can someone please help with the Splunk query for the below scenario:
I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.
If the event has one IP ---> then extract that IP
If the event has more than one IP ---> then extract the last IP
Thanks!
Hi @VS0909,
Please try below (using negative lookahead);
| rex "(?!.+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Thanks for the repply @gcusello . It is still taking the first value. Can you please help! Thanks!
please try this:
| rex ".*(?<IP>\d+\.\d+\.\d+\.\d+)"
that you can test at https://regex101.com/r/UxpUvx/2
Ciao.
Giuseppe
@gcusello Thanks for the reply.
| rex "\s(?<IP>\d+\.\d+\.\d+\.\d+)"
This regex is capturing all the IPs in the event. I just need the last IP . can you please help with that.
| rex "(?<IP>\d+\.\d+\.\d+\.\d+)" | eval IP=mvindex(IP,-1)
@gcusello Please find below details
There may be one or more IP's in the event
Sample logs with two IP's:
- - - [07/Sep/2020:06:42:58 -0500] "ssa/edit.jsp?assetURI HTTP/1.1" HTTP/1.1 200 1111 1111 0.222/444 Mozilla/1.0 (Windows NT 1.0; Win64; x64)110.10.222.22 LKMKOIL8098mnmdsLO799 230.44.333.122 wwwsss.abc.com
Sample logs with one IP:
- - - [07/Sep/2020:06:42:58 -0500] "ssa/edit.jsp?assetURI HTTP/1.1" HTTP/1.1 200 1111 1111 0.222/444 Mozilla/1.0 (Windows NT 1.0; Win64; x64) - http://abc:8080/bbb/aaa/mmm?_requestid=39999 230.44.333.222 LKMKOIL8098mnmdsLO799 - abcde1
that you can test at https://regex101.com/r/UxpUvx/1
@gcusello Can you help with the Splunk query for the below scenario:
Could you share any sample of your logs?
possibly some event with one IP and someone else with many IPs.
@gcusello Thanks for the reply!
rex ".*(?<IP>\d+\.\d+\.\d+\.\d+)" - this is capturing the last IP, but instead of capturing "230.44.333.122" , its capturing "0.44.333.222"
Appreciate your help on this.
