I have an access log that always begins with at least one IP like:
255.255.255.255 - - ...
Using the interactive extraction tool made extracting it a breeze and created this:
(?i)^(?P<ip_address>[^ ]+)
But a minority of log entries will have a chain of IP addresses at the beginning like: 255.255.255.255, 254.254.254.254, 253.253.253.253 - - .....
My goal is to extract the second and third IPs into their own separate fields as well and have them named something like ip_address2 and ip_address3.
My goal: ip_address=255.255.255.255 ip_address2=254.254.254.254 ip_address3=253.253.253.253
Due to these entries being a small minority I have been unable to get any of those records to show up in the interactive extraction tool's sample area. Does anyone know a regex that will give me the desired results? An explanation of the syntax would be greatly appreciated as well.
Alternatively to providing a regex, instructions on how to get custom results to show up in the field extraction tool's sample area would probably work as well, then I would be able to let splunk generate the proper query.
In the meantime I will continue reading up on Splunk and regex extraction and hopefully solve this for myself and then post the answer but if any of you regex gurus want to show off your skills it would be a huge time saver.
Thanks!