Splunk Search

IP address for the last occurrence

VS0909
Communicator

Can someone please help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

Labels (6)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @VS0909,

Please try below (using negative lookahead); 

| rex "(?!.+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
If this reply helps you an upvote and "Accept as Solution" is appreciated.

VS0909
Communicator

Thanks for the repply @gcusello . It is still taking the first value. Can you please help! Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VS0909,

please try this:

| rex ".*(?<IP>\d+\.\d+\.\d+\.\d+)"

that you can test at https://regex101.com/r/UxpUvx/2

Ciao.

Giuseppe

VS0909
Communicator

@gcusello  Thanks for the reply.

 

| rex "\s(?<IP>\d+\.\d+\.\d+\.\d+)"

This regex is capturing all the IPs in the event. I just need the last IP . can you please help with that.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VS0909,

please try this:

| rex "(?<IP>\d+\.\d+\.\d+\.\d+)"
| eval IP=mvindex(IP,-1)

Ciao.

Giuseppe

0 Karma

VS0909
Communicator

@gcusello  Please find below details

There may be one or more IP's in the event

Sample logs with two IP's:

- - - [07/Sep/2020:06:42:58 -0500] "ssa/edit.jsp?assetURI HTTP/1.1" HTTP/1.1 200 1111 1111 0.222/444 Mozilla/1.0 (Windows NT 1.0; Win64; x64)110.10.222.22 LKMKOIL8098mnmdsLO799 230.44.333.122 wwwsss.abc.com

 

Sample logs with one IP:

- - - [07/Sep/2020:06:42:58 -0500] "ssa/edit.jsp?assetURI HTTP/1.1" HTTP/1.1 200 1111 1111 0.222/444 Mozilla/1.0 (Windows NT 1.0; Win64; x64) - http://abc:8080/bbb/aaa/mmm?_requestid=39999 230.44.333.222 LKMKOIL8098mnmdsLO799 - abcde1

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VS0909,

please try this:

| rex "\s(?<IP>\d+\.\d+\.\d+\.\d+)"

that you can test at https://regex101.com/r/UxpUvx/1

Ciao.

Giuseppe

VS0909
Communicator

@gcusello  Can you help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VS0909,

Could you share any sample of your logs?

possibly some event with one IP and someone else with many IPs.

Ciao.

Giuseppe

0 Karma

VS0909
Communicator

@gcusello  Thanks for the reply!

rex ".*(?<IP>\d+\.\d+\.\d+\.\d+)"  - this is capturing the last IP, but  instead of capturing "230.44.333.122" , its capturing "0.44.333.222"

Appreciate your help on this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...