https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151008#M4593 <P>Root cause:<BR /> The reason this is occurring is because you have 2 key=value pairs with the same key. So Splunk will extract the first value into the key, and then overwrite it with the second value.</P> <P>Solution:<BR /> Define a new field extraction that specifies exactly how you want the fields extracted.</P> <UL> <LI><P>during the search</P> <P>your search ... | rex "from IP=(?P<IP>[^:]+?).*?(IP=(?P<IP_2>[^:])"</IP_2></IP></P> <UL> <LI>or using the field extraction to create a new field extraction object. You can use the above regex (what is inside the quotes).</LI> </UL></LI> </UL> <P>If you do it this way, you'll get two fields, one called "IP" with the first IP, and another called "IP_2" with the second IP.</P> <P>Hope this helps</P> <P>--- EDIT ---</P> <P>I edited my rex command to stop at the ":"; this is to avoid catching the port in the first IP.</P> Mon, 15 Dec 2014 19:41:26 GMT aholzer 2014-12-15T19:41:26Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151007#M4592 <P>Hi everyone,</P> <P>I am attempting to graph LDAP transactions from our OpenLDAP LDAP servers, however I'm having trouble getting Splunk to use the correct fields.</P> <P>In the example below, the first line of the transaction has two IP addresses, IP=192.168.1.111 &amp; IP=0.0.0.0. Splunk assigns the field named<CODE>IP</CODE> to <CODE>IP=0.0.0.0</CODE>, but I want it to use the first field <CODE>IP=192.168.1.111</CODE> instead. How can I tell Splunk to match <CODE>IP=192.168.1.111</CODE> &amp; not <CODE>IP=0.0.0.0</CODE>?</P> <PRE><CODE>Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 fd=207 ACCEPT from IP=192.168.1.111:34792 (IP=0.0.0.0:389) Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=0 EXT oid=1.2.6.1.6.1.1666.37723 Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=0 STARTTLS Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=0 RESULT oid= err=0 text= Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 fd=206 TLS established tls_ssf=256 ssf=256 Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=1 BIND dn="" method=128 Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=1 RESULT tag=97 err=0 text= Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=2 SRCH base="dc=example,dc=org" scope=0 deref=0 filter="(objectClass=*)" Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=2 SRCH attr=contextCSN Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 op=3 UNBIND Dec 15 10:13:27 ldap1 slapd[50625]: conn=12341234 fd=206 closed </CODE></PRE> Mon, 15 Dec 2014 19:32:09 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151007#M4592 stefanlasiewski 2014-12-15T19:32:09Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151008#M4593 <P>Root cause:<BR /> The reason this is occurring is because you have 2 key=value pairs with the same key. So Splunk will extract the first value into the key, and then overwrite it with the second value.</P> <P>Solution:<BR /> Define a new field extraction that specifies exactly how you want the fields extracted.</P> <UL> <LI><P>during the search</P> <P>your search ... | rex "from IP=(?P<IP>[^:]+?).*?(IP=(?P<IP_2>[^:])"</IP_2></IP></P> <UL> <LI>or using the field extraction to create a new field extraction object. You can use the above regex (what is inside the quotes).</LI> </UL></LI> </UL> <P>If you do it this way, you'll get two fields, one called "IP" with the first IP, and another called "IP_2" with the second IP.</P> <P>Hope this helps</P> <P>--- EDIT ---</P> <P>I edited my rex command to stop at the ":"; this is to avoid catching the port in the first IP.</P> Mon, 15 Dec 2014 19:41:26 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151008#M4593 aholzer 2014-12-15T19:41:26Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151009#M4594 <P>Thanks. Can you explain what the <CODE>?P</CODE> does in this regex?</P> Mon, 15 Dec 2014 20:52:00 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151009#M4594 stefanlasiewski 2014-12-15T20:52:00Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151010#M4595 <P>It's not necessary, but it's a habit from an older Splunk version. If I remember correctly it used to be needed to specify using "python" regex expressions, indicating that what was coming next (inside the &lt;&gt; brackets) was the name of the field.</P> <P>You can simply use <CODE>?</CODE> instead of <CODE>?P</CODE> it'll work the same.</P> Mon, 15 Dec 2014 21:08:08 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151010#M4595 aholzer 2014-12-15T21:08:08Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151011#M4596 <P>Thanks for your tip about the field extractions. When I try the current regex, I don't get a total match. See <A href="https://www.regex101.com/r/oI7gI2/1">https://www.regex101.com/r/oI7gI2/1</A></P> <P>What I settled on was the following: <CODE>from IP=(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?\(IP=(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</CODE></P> Mon, 15 Dec 2014 22:35:44 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151011#M4596 stefanlasiewski 2014-12-15T22:35:44Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151012#M4597 <P>you still need to provide the name of the field after the <CODE>?</CODE> using these brackets "&lt;" and "&gt;"</P> Tue, 16 Dec 2014 14:36:23 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151012#M4597 aholzer 2014-12-16T14:36:23Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151013#M4598 <P>Thanks, yes I assigned a name to the field. I just didn't include this in my comment. Thanks.</P> Fri, 19 Dec 2014 17:47:56 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151013#M4598 stefanlasiewski 2014-12-19T17:47:56Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151014#M4599 <P>If you are using the field name then I don't know why it's not working. Try putting the "P" back in after the "?" in the capture group <CODE>?P</CODE></P> Fri, 19 Dec 2014 19:38:39 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151014#M4599 aholzer 2014-12-19T19:38:39Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151015#M4600 <P>What is the technical difference between <CODE>?P&amp;lt;MyField&amp;gt;</CODE> and <CODE>?&amp;lt;MyField&amp;gt;</CODE> without the <CODE>P</CODE>?</P> Fri, 19 Dec 2014 21:39:23 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151015#M4600 stefanlasiewski 2014-12-19T21:39:23Z https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151016#M4601 <P>Arg. This software eats the angle bracket characters, and doesn't allow their HTML equivalents.</P> Fri, 19 Dec 2014 21:40:44 GMT https://community.splunk.com/t5/Security/Splunk-creates-field-from-from-wrong-string-in-my-LDAP-logs/m-p/151016#M4601 stefanlasiewski 2014-12-19T21:40:44Z