Splunk Search

Split IP Address in network and host part

MOberschelp
Explorer

Hi everyone,

I've got a little problem. I want to split up IP addresses in network and host part (to create a chart for network segments).

some search | rex field=scrip "(?<Net>.*\..*\.)(?<Host>.*)"

This is the rex part that I got so far. But there are no fields created with "Net" or "Host". What am I doing wrong?

Thanks for your help!

Regards,
Maik

1 Solution

Yunagi
Communicator

What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".

I have modified your regex a little. Try it like this:

rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

I tested it like this which created a "Net" field and "Host" field:

| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

View solution in original post

micahkemp
Champion

Are you going to assume that every IP address belongs to a /24 network? That's not always a valid assumption.

0 Karma

MOberschelp
Explorer

In this case... or for this case the ip address always belongs to class C network.

0 Karma

493669
Super Champion

Hey,
It seems you have typo in your fieldname ... is your fieldname is scrip or script

0 Karma

Yunagi
Communicator

What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".

I have modified your regex a little. Try it like this:

rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

I tested it like this which created a "Net" field and "Host" field:

| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

MOberschelp
Explorer

Omg! Please ignore this whole question...
We've checked it twice but didn't see that I had a typo. Of course the field is srcip and not scrip.

If I write it in the correct way it works fine... 😉

Thank you for your hint.

Regards,
Maik

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...