I have a field that contains both IP address and port number separated by a semicolon (example 10.1.1.1:23) How do I use rex to trim off the port# leaving me with just the IP address?
if you're wanting to replace the field value, @jkat54 solution should work. Howeverm if you only want to extract the IP into a field, try this
.... | rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
This rex will extract all IP address in a field called ip.
Hi, try this:
...| rex mode=sed field=fieldName "s/\:\d+//g"