How to search for url fields that only contain IP ...

mrtolu6 · ‎07-06-2017

I'm trying to do a search that will show me only IP address for the field url,

example = sourcetype=fakename url=(only field that has IP address in it 1.1.1.1 or 1.1.1.1/index)

Do you know what i can use for the url field that will only give me ip address?

automayt · ‎09-15-2020

This will output only things where the url looks like an ip address.

sourcetype=fakename | where match(url, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")

somesoni2 · ‎07-06-2017

Try like this

index=foo sourcetype=bar | regex url=".+(\d{1,3}\.}{3}\d{1,3}).*"

DalJeanis · ‎07-06-2017

Note - This solution answers the question in the title - what will eliminate all records that do not have an IP somewhere in the url field. I'm not absolutely sure that's what the OP is asking, but I'm not sure it's not.

@mrtolu6 - If you only want url values that START with an IP, like your examples, then replace the .+ with ^

mrtolu6 · ‎07-06-2017

This, seems to run slow when i run this, do you know another search i can run to get the IP addressw

somesoni2 · ‎07-06-2017

Try these to see if they perform any better. Since you're filter is regex driven, it can't be easily include in base/main search which will make it faster.

not so much hope on being faster

index=foo sourcetype=bar | where match(url,"(\d{1,3}\.}{3}\d{1,3})")

OR dirty workaround

index=foo sourcetype=bar [| gentimes start=-1 | eval p=mvrange(1,10) | table p | mvexpand p | eval q=mvrange(0,10)  | mvexpand q | eval r=mvrange(0,10)  | mvexpand r | eval s=mvrange(0,10)  | mvexpand s | eval url="*".p."*.".q."*.".r."*.".s."*" | table url]

mrtolu6 · ‎07-10-2017

none of these seems to work.

How to search for url fields that only contain IP address

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability