Refine your search:

Retrieve last value in a comma-delimited field

0

If my rex field has one or multiple fields delimited by commas, how can I get the last value if there is more than one? Or if there is only one value, then retrieve that one.

Search: sourcetype="xxxxxx" | rex field=_raw "True IP:(?<true_ip>.*)"

True IP:68.5.194.110, 204.2.160.228 True IP:81.21.89.165

asked 07 Feb '12, 12:02

ericksond's gravatar image

ericksond
11
accept rate: 100%

2 Answers:
oldestnewestmost voted
0

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"
link

answered 08 Feb '12, 14:03

ericksond's gravatar image

ericksond
11
accept rate: 100%

edited 08 Feb '12, 14:04

0

If you are not interested in the first of two TrueIP's, you could always do something like this for a log message that looks like:

message=blah user=admin true IP: 1.2.3.4, 2.3.4.5 error=fatal

the field extraction would be something like:

rex ",?\s(?<true_ip>\d+\.\d+\.\d+\.\d+)\serror="

hope this helps, but please provide more info in order to get better help

/k

link

answered 07 Feb '12, 12:49

kristian.kolb's gravatar image

kristian.kolb
9.7k615
accept rate: 33%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×8
×2

Asked: 07 Feb '12, 12:02

Seen: 627 times

Last updated: 08 Feb '12, 14:04

Related questions

Can I extract info from comma deliminated data?

Regex after delimited field extraction

Multivalue delimited field extraction

Inconsistent number of spaces in a space-delimited event.

Splunk CSV comma handling != Excel comma handling

Parsing comma separated values

How to accept multiple value inputs in a Splunk Form?

Field extraction on a delimited file

space-delimited txt file import

Copyright © 2005-2012 Splunk Inc. All rights reserved.