Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to extract this ip address

cyberportnoc
Explorer
‎07-27-2016 02:06 AM

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)" | stats ipip

no result after added "| stats ipip"

Jul 27 16:47:59 iccontroller01 neutron-api: 192.168.120.5, 192.168.100.104 - - [27/Jul/2016:16:47:59 +0800] "DELETE /v2.0/floatingips/34840e14-8387-4cf0-bd26-b3f84782a8c9.json HTTP/1.1" 204 - "-" "python-neutronclient"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 05:35 AM

Try this

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:( \d+\.\d+\.\d+\.\d+,?){0,3}" |mvexpand IP | table IP

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 05:35 AM

Try this

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:( \d+\.\d+\.\d+\.\d+,?){0,3}" |mvexpand IP | table IP
Reply
Solved! Jump to solution

cyberportnoc
Explorer
‎07-27-2016 06:22 PM

what do {0,3} mean ?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 07:16 PM

{0,3} means the group can occur 0 - 3 times. In this case, the group is space followed by IP pattern. If the IP can only appear in that segment of the event, you could also do 

.... | raw max_match=0 (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

The only risk with this is it will capture all IP addresses no matter where they appear in the event.

0 Karma
Reply
Solved! Jump to solution

cyberportnoc
Explorer
‎07-27-2016 06:15 PM

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+){0,3}" |mvexpand ipip | table ipip | stats count by ipip

this show more ip then previous answer

0 Karma
Reply
Solved! Jump to solution

Raschko
Communicator
‎07-27-2016 05:28 AM

As your splunk search isn't formatted correctly, I hope I got it right (use the "Code Sample" button above when posting a Splunk Search).

Using your regex I can extract it without a problem:

search | rex field=_raw "api:(?<ipip>\s\d+.\d+.\d+.\d+)" | stats first(ipip)
0 Karma
Reply
Solved! Jump to solution

cyberportnoc
Explorer
‎07-27-2016 06:10 PM

command first(ipip) can extract but only show one ip result , and when i count it, no result found

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)" | stats count by first(ipip)

0 Karma
Reply
Solved! Jump to solution

Raschko
Communicator
‎07-27-2016 07:55 PM

The stats function "first" just shows the first ipip that was seen by splunk.

To count by extracted IP addresses use something like this:

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:\s(?<ipip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by ipip

It still only extracts the first IP address following "api: " of the log event.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-27-2016 05:20 AM

"ipip" is not a valid argument to the stats command. It's not a field, either. It's not clear what you're trying to do with the search, but something like this should get some results.

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:\s(?<ipip>\d+.\d+.\d+.\d+)" | stats list(ipip)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...