Solved: Retrieve last value in a comma-delimited field - Splunk Community

All Apps and Add-ons

If my rex field has one or multiple fields delimited by commas, how can I get the last value if there is more than one? Or if there is only one value, then retrieve that one.

Search: sourcetype="xxxxxx" | rex field=_raw "True IP:(?.*)"

True IP:68.5.194.110, 204.2.160.228
True IP:81.21.89.165

1 Solution

Solution

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"

View solution in original post

Solution

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"

If you are not interested in the first of two TrueIP's, you could always do something like this for a log message that looks like:

message=blah user=admin true IP: 1.2.3.4, 2.3.4.5 error=fatal

the field extraction would be something like:

rex ",?\s(?<true_ip>\d+\.\d+\.\d+\.\d+)\serror="

hope this helps, but please provide more info in order to get better help

/k

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...