Re: How to search for url fields that only contain...

mrtolu6 · ‎07-06-2017

I'm trying to do a search that will show me only IP address for the field url,

example = sourcetype=fakename url=(only field that has IP address in it 1.1.1.1 or 1.1.1.1/index)

Do you know what i can use for the url field that will only give me ip address?

automayt · ‎09-15-2020

This will output only things where the url looks like an ip address.

sourcetype=fakename | where match(url, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")

somesoni2 · ‎07-06-2017

Try like this

index=foo sourcetype=bar | regex url=".+(\d{1,3}\.}{3}\d{1,3}).*"

DalJeanis · ‎07-06-2017

Note - This solution answers the question in the title - what will eliminate all records that do not have an IP somewhere in the url field. I'm not absolutely sure that's what the OP is asking, but I'm not sure it's not.

@mrtolu6 - If you only want url values that START with an IP, like your examples, then replace the .+ with ^

mrtolu6 · ‎07-06-2017

This, seems to run slow when i run this, do you know another search i can run to get the IP addressw

somesoni2 · ‎07-06-2017

Try these to see if they perform any better. Since you're filter is regex driven, it can't be easily include in base/main search which will make it faster.

not so much hope on being faster

index=foo sourcetype=bar | where match(url,"(\d{1,3}\.}{3}\d{1,3})")

OR dirty workaround

index=foo sourcetype=bar [| gentimes start=-1 | eval p=mvrange(1,10) | table p | mvexpand p | eval q=mvrange(0,10)  | mvexpand q | eval r=mvrange(0,10)  | mvexpand r | eval s=mvrange(0,10)  | mvexpand s | eval url="*".p."*.".q."*.".r."*.".s."*" | table url]

mrtolu6 · ‎07-10-2017

none of these seems to work.

How to search for url fields that only contain IP address

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability