I have the need to extract fields between single quotes ( '192.168.0.1', '192.168.0.2'
) in a field that may contain several matches.
How can I make this happen? they are tied to a hostname so my ultimate goal is to instead of having a table with hostname, ip says
hostname=a ip_addresses='192.168.0.1',192.168.0.2'
I have
hostname=a ip_addresses=192.168.0.1
hostname=a ip_addresses=192.168.0.2
The rex i devised is | rex field=ip_addresses "(\d+|\.)+(,'\s*\d+|\.\w)*"
Im currently stumped as i dont know how to extract and supply several rows for this.
The first step is to extract the separate ip addresses, and the second is to display them in a table with the ip addresses on a new row each.
Thanks in advance
Hi
try something like this
index=_internal | head 1 | eval ip_addresses="'192.168.0.1','192.168.0.2'" | makemv ip_addresses delim="," | rex field=ip_addresses "\'(?<ip_address>[^\']*)"
Bye.
Giuseppe
Hi
Can you please try rex?
(?<my_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
My sample search:
| makeresults
| eval ip_addresses="'192.168.0.1', '192.168.0.2'"
| append
[| makeresults
| eval ip_addresses="'192.168.0.1'" ]
| rex max_match=0 field=ip_addresses "(?<my_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)"
| table ip_addresses my_ip
You can define In transforms.conf, add the following.
[my-ip]
REGEX = (?<my_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)
MV_ADD = true
In props.conf for your sourcetype or source, set the following.
REPORT-my_ip = my-ip
Happy Splunking
In your example you have the first IP wrapped in single quotes, but the second IP only has a trailing single quote - I'm not sure if that's how your data is actually formatted but for this example I'll assume the values are all wrapped in single quotes.
To capture the IPs to multiple addresses using rex, you'll need to use the max_match argument. I would recommend:
| rex field=ip_addresses max_match=25 "(?:'(?<ip>[^']+)'\,?)"
This should extract the IP field as a multivalue field for up to 25 IP values. Then you can use mvexpand to break the event into multiple events, one for each IP:
| rex field=ip_addresses max_match=25 "(?:'(?<ip>[^']+)'\,?)" | mvexpand ip | table ip
If the IP field is as you've shown it, with some IP values only followed by a single quote but not proceeded by one, use this regex:
(?:'?(?<ip>[^']+)'\,?)
Hi
try something like this
index=_internal | head 1 | eval ip_addresses="'192.168.0.1','192.168.0.2'" | makemv ip_addresses delim="," | rex field=ip_addresses "\'(?<ip_address>[^\']*)"
Bye.
Giuseppe
Hi Giuseppe!
This works! How do i make them single value fields with the hostname duplicated? so now I have
hostname ip1
_________ip2
How do i make it so that
hostname ip1
hostname ip2
? Thanks so far!!
Hi christoffertoft,
try this
index=_internal
| head 1
| eval hostname="a", ip_addresses="'192.168.0.1','192.168.0.2'"
| makemv ip_addresses delim=","
| rex field=ip_addresses "\'(?<ip_address>[^\']*)"
| mvexpand ip_address
| table hostname ip_address
Bye.
Giuseppe
@cusello
Hi, that worked.
Thanks alot.