I'm trying to do a search that will show me only IP address for the field url,
example = sourcetype=fakename url=(only field that has IP address in it 1.1.1.1 or 1.1.1.1/index)
Do you know what i can use for the url field that will only give me ip address?
This will output only things where the url looks like an ip address.
sourcetype=fakename | where match(url, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
Try like this
index=foo sourcetype=bar | regex url=".+(\d{1,3}\.}{3}\d{1,3}).*"
Note - This solution answers the question in the title - what will eliminate all records that do not have an IP somewhere in the url field. I'm not absolutely sure that's what the OP is asking, but I'm not sure it's not.
@mrtolu6 - If you only want url values that START with an IP, like your examples, then replace the .+
with ^
This, seems to run slow when i run this, do you know another search i can run to get the IP addressw
Try these to see if they perform any better. Since you're filter is regex driven, it can't be easily include in base/main search which will make it faster.
not so much hope on being faster
index=foo sourcetype=bar | where match(url,"(\d{1,3}\.}{3}\d{1,3})")
OR dirty workaround
index=foo sourcetype=bar [| gentimes start=-1 | eval p=mvrange(1,10) | table p | mvexpand p | eval q=mvrange(0,10) | mvexpand q | eval r=mvrange(0,10) | mvexpand r | eval s=mvrange(0,10) | mvexpand s | eval url="*".p."*.".q."*.".r."*.".s."*" | table url]
none of these seems to work.