How to edit regex for existing fields

jas0049 · ‎05-27-2019

Hi!
need to edit existing fields using regex as its not giving proper values.
e.g. there is field called "IP" (auto extracted ) its have IP address with some other values. so need to remove extra values apart from ip address.
Please suggest.

woodcock · ‎05-27-2019

The regex command is a search filtering command, not a field creating/parsing command. You need to use rex for that.

koshyk · ‎05-27-2019

Splunk can do it easily during search time. Please find regex for various IP address types

 | makeresults
 | eval mixedIP="10.0.0.1:8000"
 | rex field=mixedIP "(?<ipv4>(?:[0-9]{1,3}\.){3}[0-9]{1,3})"

..

cpetterborg · ‎05-27-2019

You can always use the rex command to create/modify a field that is always extracted. For example:

| makeresults
| eval IP="10.0.0.1:9997"
| rex field=IP "(?<myIP>[\d.]+)"

will result in myIP containing just the IP, and not the port from the IP field.

For future reference, it is always best to give some example data with your question so that it is easier to help answer you particular problem.

How to edit regex for existing fields

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!