Splunk Search

Extracting multiple IP addresses into separate fields

pshales
Engager

I have an access log that always begins with at least one IP like:

255.255.255.255 - - ...

Using the interactive extraction tool made extracting it a breeze and created this:

(?i)^(?P[^ ]+)

But a minority of log entries will have a chain of IP addresses at the beginning like:
255.255.255.255, 254.254.254.254, 253.253.253.253 - - .....

My goal is to extract the second and third IPs into their own separate fields as well and have them named something like ip_address2 and ip_address3.

My goal:
ip_address=255.255.255.255
ip_address2=254.254.254.254
ip_address3=253.253.253.253

Due to these entries being a small minority I have been unable to get any of those records to show up in the interactive extraction tool's sample area. Does anyone know a regex that will give me the desired results? An explanation of the syntax would be greatly appreciated as well.

Alternatively to providing a regex, instructions on how to get custom results to show up in the field extraction tool's sample area would probably work as well, then I would be able to let splunk generate the proper query.

In the meantime I will continue reading up on Splunk and regex extraction and hopefully solve this for myself and then post the answer but if any of you regex gurus want to show off your skills it would be a huge time saver.

Thanks!

0 Karma
1 Solution

amit_saxena
Communicator

Hi,

Does the following regular expression works ? I haven't checked that on Splunk but I can do later as I don't have an access to Splunk right now.

^(?i)(?P[^ ,]+)(, *(?P[^ ,]+), *(?P[^ ,]+))? *- - *

It will be used with "rex" command as below.

rex "^(?i)(?P[^ ,]+)(, *(?P[^ ,]+), *(?P[^ ,]+))? *- - *"

Let me know if this does not work, I will try some other approach why regular expression.

Regards,
Amit Saxena

View solution in original post

pshales
Engager

Yeah but I'm stuck on step 1 extract the ip.

0 Karma

linu1988
Champion

extract the IP, eval all of them into different different fields... I have not tried, thought just came to my mind..

0 Karma

amit_saxena
Communicator

Hi,

Does the following regular expression works ? I haven't checked that on Splunk but I can do later as I don't have an access to Splunk right now.

^(?i)(?P[^ ,]+)(, *(?P[^ ,]+), *(?P[^ ,]+))? *- - *

It will be used with "rex" command as below.

rex "^(?i)(?P[^ ,]+)(, *(?P[^ ,]+), *(?P[^ ,]+))? *- - *"

Let me know if this does not work, I will try some other approach why regular expression.

Regards,
Amit Saxena

Runals
Motivator

http://gskinner.com/RegExr/

That is a great tool to test your regex. Copy/paste some log you are working on and at the top as you start working on your regular expression it highlights in the text what is matched.

0 Karma

amit_saxena
Communicator

It matches anything except space and a comma character

0 Karma

pshales
Engager

It worked! Thanks a lot. I was just about to test a fairly similar string that I had constructed but was missing [^ ,]. If I understand that right it basically says you will see a comma but ignore it?

0 Karma

pshales
Engager

I'm just testing this now, thanks.

0 Karma

pshales
Engager

Hmmm I'm not sure this applies to what I'm trying to do or I just don't understand it. I need to extract the fields before I can use cidrmatch to query on those fields no?

I want to extract any IP that might appear there so are you suggesting I use 0.0.0.0/0 somehow with cidrmatch to match any ip and extract it?

0 Karma

linu1988
Champion

you can use the cidrmatch to assign your original IPs to subgroups like you mentioned. I hope this works...
_http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...