Solved: How do i search for IPv6 addresses from my src_ip ...

cesaccenturefed · ‎08-14-2015

I'm trying to do a search that finds IPv6 addresses. Currently our field src_ip has both IPv4 and IPv6 in it. How can i search so only events with IPv6 addresses are returned?

lloydd518 · ‎08-14-2015

This is a bit quick and dirty but...

sourcetype=your_sourcetype src_ip=":"

View solution in original post

bigll · ‎06-29-2021

One that works for me

src_ip="*:*"

diablojohn · ‎02-05-2019

This is the simplest way i could come up with.

| regex src_ip!="(^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$)"

This will remove all IPv4 addresses from your search. don't forget to switch "src_ip" to what field you are searching. (e,g, dest_ip, rx_hosts, tx_hosts)

diablojohn · ‎02-05-2019

this is the most simplest way i came up with.

| regex src_ip!="(^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$)"

this will remove all IPv4 addresses from your search.

lloydd518 · ‎08-14-2015

This is a bit quick and dirty but...

sourcetype=your_sourcetype src_ip=":"

cesaccenturefed · ‎08-27-2015

I feel as though I should slap myself in the face for not figuring this out on my own! just tried it and it worked. did this src_ip=":"

How do i search for IPv6 addresses from my src_ip field.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...