I've got a little problem. I want to split up IP addresses in network and host part (to create a chart for network segments).
some search | rex field=scrip "(?<Net>.*\..*\.)(?<Host>.*)"
This is the rex part that I got so far. But there are no fields created with "Net" or "Host". What am I doing wrong?
Thanks for your help!
What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".
I have modified your regex a little. Try it like this:
rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"
I tested it like this which created a "Net" field and "Host" field:
| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"
Omg! Please ignore this whole question...
We've checked it twice but didn't see that I had a typo. Of course the field is srcip and not scrip.
If I write it in the correct way it works fine... 😉
Thank you for your hint.