Solved: Re: Extract part of a field

starskizzle · ‎11-14-2012

Within my Proxy server logs, I have a field (src_ip) and I would like to only get the first 3 octets of the address.

1286536308.779    180 192.168.0.224 TCP_MISS/200 411 GET http://liveupdate.symantecliveupdate.com/minitri.flg - DIRECT/125.23.216.203 text/plain
1286536308.910     37 192.168.0.224 TCP_MISS/200 4083 GET http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1... - DIRECT/125.23.216.203 application/zip
1286536309.450    917 192.168.0.227 TCP_MISS/200 20670 GET http://www.youtube.com/watch? - DIRECT/209.85.231.136 text/html
1286536309.549    172 192.168.0.227 TCP_MISS/204 294 GET http://v15.lscache3.c.youtube.com/generate_204? - DIRECT/122.160.120.150 text/html

What I would to get back from something like this, is just...

192.168.0

Is this possible?

okrabbe_splunk · ‎11-14-2012

You can use the rex command:

... | rex field=src_ip "(?<ip_start>\d+\.\d+\.\d+)"

There will now be a field called ip_start which will have the first 3 octets of the ip address.

View solution in original post

okrabbe_splunk · ‎11-14-2012

You can use the rex command:

... | rex field=src_ip "(?<ip_start>\d+\.\d+\.\d+)"

There will now be a field called ip_start which will have the first 3 octets of the ip address.

starskizzle · ‎11-14-2012

Very slick. Thank you!

Bulluk · ‎11-14-2012

This should do what you need

http://splunk-base.splunk.com/apps/22291/field-extractor

Extract part of a field

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...