Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write the regex to extract the IP Address, but not CIDr notations from my sample data?

j666gak
Communicator
‎04-03-2015 07:17 PM

Hello,

I am trying to extract fields from a feed that I have, but the automated field extractor is not working for me though. I want to tag the IP address at the very end of every line and call it 'src_ip'. However the automated tool picks up the two CIDr notations every time as well as the IP address at the end of the line.

I am looking for Regex that will only pickup the IP address at the end of each line, and NOT the CIDr notations.

20150404 00:12 http://www.yahoo.com domain\user faddr=192.168.1.0/24 gaddr=192.168.1.0/24 192.168.1.68
20150404 00:12 http://www.yahoo.com domain\user faddr=192.168.1.0/24 gaddr=192.168.1.0/24 192.168.1.21

Would really appreciate somebody to provide me with the Regex it would be much appreciated.

Many thanks

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-03-2015 08:12 PM

Here you go:

^([^\s]+\s+){6}(?P<src_ip>\d+\.\d+\.\d+\.\d+)
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...