Solved: Re: How to extract only the first three octets of ...

samble · ‎08-28-2017

I have the below command to extract the top 100 IP addresses. How can I modify the search to extract only the first three octets of the IP address instead of the whole address?

sourcetype="cisco:asa" | top limit=100 src_ip

kmorris_splunk · ‎08-28-2017

You could use the rex command to extract the first 3 octets into another field and do the top on the new field:

sourcetype="cisco:asa"
| rex field=src_ip "(?<firstthree>\d+)\.\d+\.\d+\.\d+" 
| top limit=100 firstthree

View solution in original post

jpolvino · ‎08-09-2019

If you have a field named src_ip that has the full 4-octet IP address, here is one way to modify it in-situ:

| rex field=src_ip mode=sed "/(\d{1,3}\.\d{1,3}\.\d{1,3}).*/\1/g"

This groups the first 3 octets as "group 1" and then replaces the whole field with that group, shown as \1. It also puts a little enforcement on the format of the octets, being a group of 1, 2, or 3 digits.

jawaharas · ‎08-19-2018

Another way to do

.. | rex field=src_ip "(?<firstthree>.+)\.[0-9]+"

kmorris_splunk · ‎08-28-2017

You could use the rex command to extract the first 3 octets into another field and do the top on the new field:

sourcetype="cisco:asa"
| rex field=src_ip "(?<firstthree>\d+)\.\d+\.\d+\.\d+" 
| top limit=100 firstthree

s2_splunk · ‎08-28-2017

Hmmm, looks like your rex should be rex field=src_ip "(?<firstthree>\d+\.\d+\.\d+)\.\d+" instead.

samble · ‎08-28-2017

Thanks. After doing the search I realized that and changed it to

rex field=src_ip "(?\d+.\d+.\d+).\d+"

Thanks for pointing out the same.

How to extract only the first three octets of the IP address instead of the whole address?

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud