Everyone is on the right track. And any and all of these solutions should have been successful. So what we'll need is a solid sample of two events that show the varied fields. Because there is something you are not noticing or telling us... and all these eyes here should be able to see if you let us. You can anonymize the data by changing a few key numbers. Do not turn it into garbage or we can't give a 1:1 test on the data without editing it ourselves.
I used a sample from an httpd access_combined log on a public facing server. It has two IP addresses
184.108.40.206 - - [01/Aug/2016:11:03:07 -0700] "GET /atlas/NewDay/1/2/2/2/2/2/2/0/2.png?c=1470074467 HTTP/1.1" 200 222762 "http://splunkcraft.splunkoxygen.com/atlas/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36"51.0.274.106
This will capture the last IP only that is immediately followed by the end of the event in a single line event and in a multiline event the
$ is present after each
\n carriage at the end of EACH line (which could possibly be your problem). It works in my sample data.
This will capture the first IP only
What I have done in the past when unsure as to whether something was being considered single or multiline by Splunk (or rather by any regex engine) I prefix the regex with the specific flag, which tells regex how to treat the line ending very deliberately. so
might work... I'm honestly not sure if it forces the look at the end of the event or if it's just properly labeling it. so no guarantees 🙂
nice try ... but it does not work 😞
Generally I use the wizzard and not type in dircetly my regex but taht time wizzard generate the following error :
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
Forget the wizard and use rex directly:
YOUR SEARCH HERE | rex field=_raw ",\"(?P‹lastIP›\d+\.\d+\.\d+\.\d+)\"$"
lauMarot: that should match the example data you gave us. If it doesn't, please give more example of data.
sjohnson: writing this, I realised you needed to escape the dots in there, otherwise technically your regex could match any long number...
$ represent the end of a line in multi-lin, so it should work if that IP is the end of the line..
But why use a dollar sign?
This will say look for a digit who's length is from 1-3 digits followed by a
. follow by 1-3 digits, then a
., then 1-3 digits, then a
. follow by 1-3 digits
Whoops, thanks for pointing that out. Yes true, if he has multiple unique IP addresses then he could use a dollar sign or a lookbehind