Splunk Search

Regex Help to extract the first ip?

orionex
Observer

Please help with regex to extract the first ip(highlighted red) only 

2022-10-25T14:30:28.108+00:00 10.3.4.150 syslog-ng 14928 - [meta sequenceId="-2074435768"] Error processing log message: <14>1 2022-10-26T10:30:28.588005-04:00 RM-SU-SAM - - RemoteLogging>@< { "logVersion": "1.0", "category": "AUDIT", "timeStamp": "2022-10-26T14:29:43.439Z", "id": "K7pTSQoxfV7pvq3bO8PSehvilSt4yZxEiU9oGkasPx8=", "context": { "tenantId": "ZZNXA0OELD-STA", "originatingAddress": "104.205.81.157, 35.227.230.123, 130.211.2.118,172.30.9.68", "principalId": "opatel@mail.com", "sessionId": "c0r52fac-9fc3-42a1-8e48-492b31c72790", "globalAccessId": "10f31a5e-53b4-4bc8-9ec8-13bb6b670592", "applicationType": "SAML", "applicationName": "Splunk", "policyName": "Global Policy for STA" }, "details": { "type": "ACCESS_REQUEST", "state": "Accepted", "action": "auth", "credentials": [ { "type": "otp", "state": "Verified" } ] }

Labels (3)
0 Karma

johnhuang
Motivator
This will extract the first IP address after the field originatingAddress
| rex "originatingAddress\"\:\s\"(?<first_ip>\d+\.\d+\.\d+\.\d+)"

This will extract the first IP address of the event
| rex "(?<first_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
0 Karma

FrankVl
Ultra Champion

If you want to apply the regex to the entire raw event:

"originatingAddress": "([^,]+)

https://regex101.com/r/b4NMEF/1

 

If you already have a field originatingAddress and you're applying the regex to that field specifically, you only need the part in between parentheses. Or you use an eval command to split based on , and then take the first entry using mvindex().

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...