Let’s say you’re needing to examine the logs using Splunk to find invalid logins, but perhaps the way the logging works from your application, Splunk is not able to identify the IP Address automatically.
This isn’t a problem, you can use a Regex. So let’s say you’re looking for the string “failed login for user root” then from an IP Address. You could use a Splunk query such as the following to find any client IP Address that has had a failed login attempt. In my example I’m querying the index “webserver”.
index="webserver" "failed login for user root" | rex field_raw "(?<clientip>\d+\.\d+\.\d+\.\d+)" | top limit=10 clientipWhat you’ll get out of this is then a list of the top 10 IP addresses that have had failed authentications, you’ll also see “clientip” as an “Interesting Field” you can then review.