Here’s a regex that will pull all of the ip:port values from a field:
| rex field=_raw max_match=0 "(?<ip_port>\d+\.\d+\.\d+\.\d+\:\d+)"
Now expand the ip_port field:
| mvexpand ip_port
And then extract from ip_port into ip & port:
| rex field=ip_port "(?<ip>\d+\.\d+\.\d+\.\d+\)\:(?<port>\d+)"
from User warren – Stack Overflow https://stackoverflow.com/questions/63536430/regex-separate-ipport-from-a-log/63562264#63562264
via IFTTT