Thanks for the reply, but not exactly the answer I'm looking for...
CLARIFICATION OF MY PROBLEM STATEMENT:
I need to capture every IP found in all logs, regardless of Index/host/source/sourcetype. A single weblog from a busy webserver could yield 1000's of IPs for each unique client requesting a popular webpage. I'm not concerned about Hostnames.
CLARIFICATIONS TO YOUR QUESTIONS:
Example is anything between 0.0.0.0 and 255.255.255.255.
Regex taken from www.regular-expressions.info/ip.html and verified with regex101.com
The idea for "rex field=_raw" is taken from this:
https://answers.splunk.com/answers/656616/how-to-extract-ip-address-using-regex.html
It is applying to every RAW event, regardless of sourcetype or log format.
TESTING:
I tested your pipeline "| dedup ip | sort ip | table ip" , and job-inspector shows that it actually takes longer than the single "| stats values(ip)" pipe. They yield the same results, with slightly different sort (string rather than Integer)
... View more