Databases Reference
In-Depth Information
Let's turn the subnet pattern we built earlier into a field. First, we build the query
with the
rex
statement:
sourcetype="impl_splunk_gen" ip="*"
| rex "ip=(?P<subnet>\d\.\d\.\d+)\.\d+"
| table ip subnet
Since we know there will be an
ip
field in the events we care about, we can use
ip="*"
to limit the results to events that have a value for that field.
table
takes a list of fields and displays a table, one row per event:
As we can see, the
rex
statement doesn't always work. Looking at the pattern again,
you may notice that the first two instances of
\d
are now missing their trailing
+
.
Without the plus sign, only addresses with a single digit in both their first and
second sections will match. After adding the missing plus signs to our pattern,
all rows will have a subnet.
sourcetype="impl_splunk_gen" ip="*"
| rex "ip=(?P<subnet>\d+\.\d+\.\d+)\.\d+"
| table ip subnet
We can now take the pattern from the
rex
statement and use it to build
a configuration.
Search WWH ::
Custom Search