Splunk Search

How to search for url fields that only contain IP address

mrtolu6
Path Finder

I'm trying to do a search that will show me only IP address for the field url,

example = sourcetype=fakename url=(only field that has IP address in it 1.1.1.1 or 1.1.1.1/index)

Do you know what i can use for the url field that will only give me ip address?

0 Karma

automayt
Explorer

This will output only things where the url looks like an ip address.

sourcetype=fakename | where match(url, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

index=foo sourcetype=bar | regex url=".+(\d{1,3}\.}{3}\d{1,3}).*"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Note - This solution answers the question in the title - what will eliminate all records that do not have an IP somewhere in the url field. I'm not absolutely sure that's what the OP is asking, but I'm not sure it's not.

@mrtolu6 - If you only want url values that START with an IP, like your examples, then replace the .+ with ^

0 Karma

mrtolu6
Path Finder

This, seems to run slow when i run this, do you know another search i can run to get the IP addressw

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try these to see if they perform any better. Since you're filter is regex driven, it can't be easily include in base/main search which will make it faster.

not so much hope on being faster

index=foo sourcetype=bar | where match(url,"(\d{1,3}\.}{3}\d{1,3})")

OR dirty workaround

index=foo sourcetype=bar [| gentimes start=-1 | eval p=mvrange(1,10) | table p | mvexpand p | eval q=mvrange(0,10)  | mvexpand q | eval r=mvrange(0,10)  | mvexpand r | eval s=mvrange(0,10)  | mvexpand s | eval url="*".p."*.".q."*.".r."*.".s."*" | table url]

mrtolu6
Path Finder

none of these seems to work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...