Splunk Search

Regex for last IP Address

VS0909
Communicator

Can someone please help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

(?<ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(?!.*\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)

Ugly as hell, and of course doesn't check for validity of the IP (accepts any 1-3 digit sequences, even ridiculous like 345.912.123.0). Regex is not the best tool to validate IP-s

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share some example events to clarify how the last ip address might appear?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @VS0909,

You can try below;

rex "(?!.+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Close, but your regex will match the first ip on the line, not the last one.

0 Karma

VS0909
Communicator

Can someone please help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...