Current search:
search "xxx" | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)"
I'm using the rex command, but it does not return the expected result when there are two IP addresses.
If both IPs are in the same event with "api" before it, you can use max_match
, like this
search "xxx" | rex max_match=0 field=_raw "api:\s?(?<IP>\d+.\d+.\d+.\d+)" | mvexpand IP | table IP
If they are not in the same event, will need to see some sample events.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Regex
If both IPs are in the same event with "api" before it, you can use max_match
, like this
search "xxx" | rex max_match=0 field=_raw "api:\s?(?<IP>\d+.\d+.\d+.\d+)" | mvexpand IP | table IP
If they are not in the same event, will need to see some sample events.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Regex
Please share some sample events.