Shrinked ip address field

Good day!
I want to create additional field for nginx access log. This field must contain left octets of IP-address. For examle. If remote IP is, field will contain only 192.168.1.
Sorry, my English is not very good.
Best regards, roonick

You will need to extract this with an ingest pipeline, or similar, but it's possible.

That should be pretty easy with a Grok pattern (A custom one just for fun), there you go:


Custom Grok Pattern

LEFTIP (?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.])

Grok Pattern



  "client": [

You can practice at

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.