Hey,
your regex/rex is broken.
You use rex field=src "(?(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})).
When you put that regex into regex101.com, you'll see it's not valid.
So, let's start by fixing the regex - use rex "(?<src>(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})) .
I also removed the src=field , because that does tell rex in which field to search, not to which field to extract to.
You most likely want to use in the complete event (which would be field=_raw , which is also the default for rex ).
So, the line above should properly extract the IP address to the src field, and you should be able to search for it with your token.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
... View more