I'm struggling to match the last IP in pattern which may contain a comma separated list of IPs.
e.g. both of these appear in my logs:
foo\t102.35.174.94\tbar
102.35.174.94 is my desired matchfoo\t102.35.174.94,66.249.83.219\tbar
66.249.83.219 is my desired matchI haven't seen more than 2 IPs in a row yet, but assume that's possible.
I was hoping something like this would work but no luck yet:
\t(?<x_forwarded_for>(.*(%{IP}$)))\t
Any suggestions? Thank you in advance.
$ will not work because that anchors to end of line, not end of field. However, the \t effectively anchors to end of field, so removing the $ might work.
Thanks for the suggestion.
I believe this works for both single IPs or variable length list of comma separated IPs:
\t%{GREEDYDATA:x_forwarded_for_temp}\t
then:
mutate {
split => ["x_forwarded_for_temp" , ","]
add_field => ["x_forwarded_for", "%{[x_forwarded_for_temp][-1]}" ]
}
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.