Splunk Search

Split IP Address in network and host part

MOberschelp
Explorer

Hi everyone,

I've got a little problem. I want to split up IP addresses in network and host part (to create a chart for network segments).

some search | rex field=scrip "(?<Net>.*\..*\.)(?<Host>.*)"

This is the rex part that I got so far. But there are no fields created with "Net" or "Host". What am I doing wrong?

Thanks for your help!

Regards,
Maik

1 Solution

Yunagi
Communicator

What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".

I have modified your regex a little. Try it like this:

rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

I tested it like this which created a "Net" field and "Host" field:

| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

View solution in original post

micahkemp
Champion

Are you going to assume that every IP address belongs to a /24 network? That's not always a valid assumption.

0 Karma

MOberschelp
Explorer

In this case... or for this case the ip address always belongs to class C network.

0 Karma

493669
Super Champion

Hey,
It seems you have typo in your fieldname ... is your fieldname is scrip or script

0 Karma

Yunagi
Communicator

What is the name of the field which contains the IP address? Is it really "scrip"? Perhaps there is a typo and it should be "srcip" or "src_ip".

I have modified your regex a little. Try it like this:

rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

I tested it like this which created a "Net" field and "Host" field:

| makeresults count=1 | eval src_ip="192.168.0.1" | rex field=src_ip "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"

MOberschelp
Explorer

Omg! Please ignore this whole question...
We've checked it twice but didn't see that I had a typo. Of course the field is srcip and not scrip.

If I write it in the correct way it works fine... 😉

Thank you for your hint.

Regards,
Maik

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...