"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)" | stats ipip
no result after added "| stats ipip"
Jul 27 16:47:59 iccontroller01 neutron-api: 192.168.120.5, 192.168.100.104 - - [27/Jul/2016:16:47:59 +0800] "DELETE /v2.0/floatingips/34840e14-8387-4cf0-bd26-b3f84782a8c9.json HTTP/1.1" 204 - "-" "python-neutronclient"
Try this
"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:( \d+\.\d+\.\d+\.\d+,?){0,3}" |mvexpand IP | table IP
Try this
"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:( \d+\.\d+\.\d+\.\d+,?){0,3}" |mvexpand IP | table IP
what do {0,3} mean ?
{0,3} means the group can occur 0 - 3 times. In this case, the group is space followed by IP pattern. If the IP can only appear in that segment of the event, you could also do
.... | raw max_match=0 (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
The only risk with this is it will capture all IP addresses no matter where they appear in the event.
"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+){0,3}" |mvexpand ipip | table ipip | stats count by ipip
this show more ip then previous answer
As your splunk search isn't formatted correctly, I hope I got it right (use the "Code Sample" button above when posting a Splunk Search).
Using your regex I can extract it without a problem:
search | rex field=_raw "api:(?<ipip>\s\d+.\d+.\d+.\d+)" | stats first(ipip)
command first(ipip) can extract but only show one ip result , and when i count it, no result found
"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)" | stats count by first(ipip)
The stats function "first" just shows the first ipip that was seen by splunk.
To count by extracted IP addresses use something like this:
"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:\s(?<ipip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by ipip
It still only extracts the first IP address following "api: " of the log event.
"ipip" is not a valid argument to the stats
command. It's not a field, either. It's not clear what you're trying to do with the search, but something like this should get some results.
"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:\s(?<ipip>\d+.\d+.\d+.\d+)" | stats list(ipip)