The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Search and Alert using "OR" | Next Topic: Multiple alerts per search
Posts 1–3 of 3
I am attempting to search via the UI for the following IP: 167.68.150.1
What I am looking for is "just" the IP and not anything that has that in the search.
Ex. Yes = 167.68.150.1
No = 167.68.150.125
Have yet to find how to do this. I have tried using " ", ( ) and other combinations to no avail.
Any thoughts would be appreciated. Keep in mind this search will be via UI. It might
also be integrated into the API to search as well, but I would settle for just the UI for now.
PStein
"167.68.150.1" | regex _raw="167\.68\.150\.1[^\d]"
You could also extract the IP address field:
"167.68.150.1" | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | search ip="167.68.150.1"
If you are using the API, you might want to extract the ip field through the conf files:
props.conf
[your_sourcetype_name]
REPORT-foobar=ip_extraction
transforms.conf
[ip_extraction]
REGEX = (\d+\.\d+\.\d+\.\d+)
FORMAT = ip::$1
It is also worth mentioning that you should probably name the field in line with the "common event model" recommendations: