Can someone please help with the Splunk query for the below scenario:
I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.
If the event has one IP ---> then extract that IP
If the event has more than one IP ---> then extract the last IP
Thanks!
(?<ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)(?!.*\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
Ugly as hell, and of course doesn't check for validity of the IP (accepts any 1-3 digit sequences, even ridiculous like 345.912.123.0). Regex is not the best tool to validate IP-s
Can you share some example events to clarify how the last ip address might appear?
Hi @VS0909,
You can try below;
rex "(?!.+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Close, but your regex will match the first ip on the line, not the last one.
Can someone please help with the Splunk query for the below scenario:
I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.
If the event has one IP ---> then extract that IP
If the event has more than one IP ---> then extract the last IP
Thanks!