Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex for multiple IP Addresses in Splunk

asplunk123
New Member
‎04-30-2017 01:41 PM

In the below log we have User Agent fallowed by two Ip addresses. So i want to extract below fields

UserAgent , IPAdd2, IPAdd2

My Regex : (getting error)

rex (?.[a-zA-Z0-9-/^%?;.\s\w&()=-]+) | rex "^(?i)(?P[^ ,]+)(,(?P[^ ,]+))?"

Log :

"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/28.0" "158.69.213.225, 23.217.200.191"

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-30-2017 02:22 PM

This will create a mult-valued field:

... | rex max_match=0 "(?<IPAddress>\d+\.\d+\.\d+\.\d+)"

You can use a more specific RegEx if you like, but the more complicated it is, the slower it will be, too, and simpler ones are unlikely to have false positives.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...