Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Split IP Address in network and host part

MOberschelp
Explorer
‎02-06-2018 01:37 AM

Hi everyone,

I've got a little problem. I want to split up IP addresses in network and host part (to create a chart for network segments).

some search | rex field=scrip "(?<Net>.*\..*\.)(?<Host>.*)"

This is the rex part that I got so far. But there are no fields created with "Net" or "Host". What am I doing wrong?

Thanks for your help!

Regards,
Maik

Reply
1 Solution
Solved! Jump to solution
Solution

Yunagi
Communicator
‎02-06-2018 06:17 AM

What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".

I have modified your regex a little. Try it like this:

rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

I tested it like this which created a "Net" field and "Host" field:

| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

View solution in original post

Reply
Solved! Jump to solution

micahkemp
Champion
‎02-06-2018 06:43 AM

Are you going to assume that every IP address belongs to a /24 network? That's not always a valid assumption.

0 Karma
Reply
Solved! Jump to solution

MOberschelp
Explorer
‎02-06-2018 07:27 AM

In this case... or for this case the ip address always belongs to class C network.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-06-2018 06:20 AM

Hey,
It seems you have typo in your fieldname ... is your fieldname is scrip or script

0 Karma
Reply
Solved! Jump to solution
Solution

Yunagi
Communicator
‎02-06-2018 06:17 AM

What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".

I have modified your regex a little. Try it like this:

rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

I tested it like this which created a "Net" field and "Host" field:

| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"
Reply
Solved! Jump to solution

MOberschelp
Explorer
‎02-06-2018 07:22 AM

Omg! Please ignore this whole question...
We've checked it twice but didn't see that I had a typo. Of course the field is srcip and not scrip.

If I write it in the correct way it works fine... 😉

Thank you for your hint.

Regards,
Maik

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...