Solved: Re: Use regular expressions to search and filterin...

jihoon · ‎02-12-2015

hi.

Add a tutorialdata.zip data and, if you type 'sourcetype = access_ *' searches

clientip = 91.205.189.15 ,182.236.164.11, 198.35.1.75 ...

Of these, only wants to get an IP address that begins with '91'.

Search sourcetype = access_* | rex "clientip=(?P\9d{1}.\d+.\d+).\d+"

However, all of the IP address is retrieved.

How can be modified to achieve the desired results?

Thanks

pradeepkumarg · ‎02-12-2015

Below should work if clientip is already extracted

sourcetype = access* clientip=91*

pradeepkumarg · ‎02-12-2015

Below should work if clientip is already extracted

sourcetype = access* clientip=91*

Ayn · ‎02-12-2015

Yes, and even better would be to include the dot as well, so

sourcetype=access_* clientip=91.*

This will enable Splunk to find all unique events that include the string "91" so it only needs to retrieve those from disk.

Use regular expressions to search and filtering ip