Splunk Search

Rex to optionally extract several fields

christoffertoft
Communicator

I have the need to extract fields between single quotes ( '192.168.0.1', '192.168.0.2') in a field that may contain several matches.

How can I make this happen? they are tied to a hostname so my ultimate goal is to instead of having a table with hostname, ip says
hostname=a ip_addresses='192.168.0.1',192.168.0.2'
I have
hostname=a ip_addresses=192.168.0.1
hostname=a ip_addresses=192.168.0.2

The rex i devised is | rex field=ip_addresses "(\d+|\.)+(,'\s*\d+|\.\w)*"

Im currently stumped as i dont know how to extract and supply several rows for this.

The first step is to extract the separate ip addresses, and the second is to display them in a table with the ip addresses on a new row each.

Thanks in advance

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi
try something like this

index=_internal | head 1 | eval ip_addresses="'192.168.0.1','192.168.0.2'" | makemv ip_addresses delim="," | rex field=ip_addresses "\'(?<ip_address>[^\']*)"

Bye.
Giuseppe

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi

Can you please try rex?

(?<my_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)

My sample search:

| makeresults 
| eval ip_addresses="'192.168.0.1', '192.168.0.2'" 
| append 
    [| makeresults 
    | eval ip_addresses="'192.168.0.1'" ] 
| rex max_match=0 field=ip_addresses "(?<my_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" 
| table ip_addresses my_ip

You can define In transforms.conf, add the following.

[my-ip]
REGEX = (?<my_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
MV_ADD = true

In props.conf for your sourcetype or source, set the following.

REPORT-my_ip = my-ip

Happy Splunking

0 Karma

wenthold
Communicator

In your example you have the first IP wrapped in single quotes, but the second IP only has a trailing single quote - I'm not sure if that's how your data is actually formatted but for this example I'll assume the values are all wrapped in single quotes.

To capture the IPs to multiple addresses using rex, you'll need to use the max_match argument. I would recommend:

| rex field=ip_addresses max_match=25 "(?:'(?<ip>[^']+)'\,?)"

This should extract the IP field as a multivalue field for up to 25 IP values. Then you can use mvexpand to break the event into multiple events, one for each IP:

| rex field=ip_addresses max_match=25 "(?:'(?<ip>[^']+)'\,?)" | mvexpand ip | table ip

If the IP field is as you've shown it, with some IP values only followed by a single quote but not proceeded by one, use this regex:

(?:'?(?<ip>[^']+)'\,?)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
try something like this

index=_internal | head 1 | eval ip_addresses="'192.168.0.1','192.168.0.2'" | makemv ip_addresses delim="," | rex field=ip_addresses "\'(?<ip_address>[^\']*)"

Bye.
Giuseppe

0 Karma

christoffertoft
Communicator

Hi Giuseppe!

This works! How do i make them single value fields with the hostname duplicated? so now I have

hostname ip1
_________ip2

How do i make it so that

hostname ip1
hostname ip2

? Thanks so far!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi christoffertoft,
try this

index=_internal 
| head 1 
| eval hostname="a", ip_addresses="'192.168.0.1','192.168.0.2'" 
| makemv ip_addresses delim="," 
| rex field=ip_addresses "\'(?<ip_address>[^\']*)" 
| mvexpand ip_address 
| table hostname ip_address

Bye.
Giuseppe

0 Karma

christoffertoft
Communicator

@cusello

Hi, that worked.

Thanks alot.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...