0

I'm tryin to extract multiple IPv4 addresses from a single field that are separated by ","

Example string: "badips":["123.456.789.12","123.456.789.13","123.456.789.14"]

Expected output of field badips with values 123.456.789.12 123.456.789.13 123.456.789.14

^[^\[\n]*\["(?P<badips>\d+\.\d+\.\d+\.\d+) gets me the first IP ^[^\[\n]*\["(?P<badips>.*?)\"] gets me 123.456.789.12","123.456.789.13","123.456.789.14 with the "," in between.

I'm trying to come up with something dynamic because there will be atleast 1 IP in the field, but there could be more. ] will always follow the last IP

I'm new to regex and any help will be greatly appreciated. I have a regex cheat sheet and have been working at this all day, just can't seem to get it

jlit259
  • 9
  • 1
  • 1
    If you can be specific about the regex flavor (ERE, PCRE, PCRE2, etc.) and/or your using language, you will have appropriate answers. – tshiono Jan 11 '23 at 01:48
  • Does this answer your question? [RegEx for an IP Address](https://stackoverflow.com/questions/4890789/regex-for-an-ip-address) or one of the many other questions/answers with this search: [`[regex] "IP address"`](https://stackoverflow.com/search?q=%5Bregex%5D+%22IP+address%22) – Inigo Jan 11 '23 at 08:04
  • Or perhaps one of these: https://stackoverflow.com/questions/52841454/regex-to-match-multiple-subnets-delimited-by-a-space, https://stackoverflow.com/questions/52972885/regex-to-match-multiple-ipaddress-domainnames-delimited-by-a-space, https://stackoverflow.com/questions/34268391/multiple-matches-with-delimiter – Inigo Jan 11 '23 at 08:09
  • Start by creating a regex that matches a single valid IP (you can find this on Google _very_ easily). Then make a method to split the string on commas to separate all your IP addresses. Finally run through each IP address you separated and match it up against your regex to see if it's valid. If your IP's are actually inside JSON then use a JSON parser to get them out. – h2ooooooo Jan 11 '23 at 09:49
  • There is no way to do it with just regex. If you do it in Splunk, do it in two steps: `rex field=_raw "\["(?.*?)"]" | makemv delim="\x22,\x22" _raw` – Wiktor Stribiżew Jan 11 '23 at 10:02

1 Answers1

-1

You should use capture groups:

(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+

demo here

Additional information about your implementation (language, regex flavor) will help us give you a better answer.

O-O-O
  • 91
  • 6