You can do something like this:
| eval fieldX = if(match(fieldX, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), "do something", "do something else")
here's what I landed on, in case it's helpful for folks in the future.
| eval isIPV4 = if(match(IP,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True","False")
The best regex for validating IPV4 is an ever-evolving conversation on stack overflow. So, I used the latest from there, but from this highest rated answer, not the accepted one: https://stackoverflow.com/a/36760050/6376311
Since someone mentioned it, in order to validate private/public IPv4, I made myself an eval-based macro with the following:
case(
cidrmatch("10.0.0.0/8",$IP$),"False",
cidrmatch("172.16.0.0/12",$IP$),"False",
cidrmatch("192.168.0.0/16",$IP$),"False",
isnull($IP$) OR like($IP$,""), "False",
match($IP$,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True")
Then, I can use it in any query like:
| eval Remote_Address_isExternal = `isExternalIPv4(Remote_Address)`
You can do something like this:
| eval fieldX = if(match(fieldX, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), "do something", "do something else")
perfect. thanks!
Could you do something like this?
| eval isLocal=if(cidrmatch("10.0.0.0/24",ip), "local", "not local")
You could try 0.0.0.0/24 and see if that matches any IP address?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions