Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex Help to extract the first ip?

orionex
Observer
‎10-26-2022 07:48 AM

Please help with regex to extract the first ip(highlighted red) only 

2022-10-25T14:30:28.108+00:00 10.3.4.150 syslog-ng 14928 - [meta sequenceId="-2074435768"] Error processing log message: <14>1 2022-10-26T10:30:28.588005-04:00 RM-SU-SAM - - RemoteLogging>@< { "logVersion": "1.0", "category": "AUDIT", "timeStamp": "2022-10-26T14:29:43.439Z", "id": "K7pTSQoxfV7pvq3bO8PSehvilSt4yZxEiU9oGkasPx8=", "context": { "tenantId": "ZZNXA0OELD-STA", "originatingAddress": "104.205.81.157, 35.227.230.123, 130.211.2.118,172.30.9.68", "principalId": "opatel@mail.com", "sessionId": "c0r52fac-9fc3-42a1-8e48-492b31c72790", "globalAccessId": "10f31a5e-53b4-4bc8-9ec8-13bb6b670592", "applicationType": "SAML", "applicationName": "Splunk", "policyName": "Global Policy for STA" }, "details": { "type": "ACCESS_REQUEST", "state": "Accepted", "action": "auth", "credentials": [ { "type": "otp", "state": "Verified" } ] }

Labels (3)
Labels
0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 08:11 AM 
This will extract the first IP address after the field originatingAddress
| rex "originatingAddress\"\:\s\"(?<first_ip>\d+\.\d+\.\d+\.\d+)"

This will extract the first IP address of the event
| rex "(?<first_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
0 Karma
Reply

FrankVl
Ultra Champion
‎10-26-2022 08:06 AM

If you want to apply the regex to the entire raw event:

"originatingAddress": "([^,]+)

https://regex101.com/r/b4NMEF/1

 

If you already have a field originatingAddress and you're applying the regex to that field specifically, you only need the part in between parentheses. Or you use an eval command to split based on , and then take the first entry using mvindex().

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...