Regex for last IP Address

VS0909 · ‎09-06-2021

Can someone please help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

PickleRick · ‎09-07-2021

(?<ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(?!.*\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)

Ugly as hell, and of course doesn't check for validity of the IP (accepts any 1-3 digit sequences, even ridiculous like 345.912.123.0). Regex is not the best tool to validate IP-s

ITWhisperer · ‎09-07-2021

Can you share some example events to clarify how the last ip address might appear?

scelikok · ‎09-07-2021

Hi @VS0909,

You can try below;

rex "(?!.+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

If this reply helps you an upvote is appreciated.

PickleRick · ‎09-07-2021

Close, but your regex will match the first ip on the line, not the last one.

VS0909 · ‎09-07-2021

Can someone please help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

Regex for last IP Address

chart

count

eval

field extraction

join

regex

stats

timechart

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update