Parsing ip address coming at random places inside logs

hi guys,

input log message contains IP address but the occurence of ip is random inside message and also some times the message will not contain any ip can we extract this ip address using grok or other filters.

example of input log messages :
this is server log error observed exception occurred
no error observed.

i am trying below, not working

grok { match => {"message" => " ((?<wildcard>.*)%{IPV4:IP}(?<wildcard>.*)") | %{IPV4:IP}(?<wildcard>.*) | (?<wildcard>.*)}

If you just want the IP then you can use

grok { match => { "message" => "%{IPV4:IP}" } }

and grok will find it if it is anywhere in the message.

1 Like

hi Badger,

thanks for input.

built in grok will capture ip address once in the log message and remaining ip address will not parse...there are instances where ip address is populating multiple times or less without any particular position such as ... exception error at server

is there any grok which can parse all ip addresses occurences coming anywhere in input message at any place


also if input log message does not have ip address , it give me _grokparsefailure

In you want to capture every occurrence of a regexp in a field then use a ruby filter and the String.scan function.

    ruby {
        code => 'event.set("anArray", event.get("message").scan(/(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])/))'

Edited to add: The grok pattern for IPV4 is one of the core patterns.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.