topic Re: How can I remove additional field values? in Splunk Search

How can I remove additional field values?

chrisschum — Thu, 05 Apr 2018 15:15:54 GMT

I've tried several different ways to resolve this issue including using 'rex' and 'replace' but I can't seem to get it to work.

The dst field on log results comes out as "192.168.1.1:1234:ABCD-A123"

How can I just get the IP "192.168.1.1" and remove the other data?

Thanks!

Re: How can I remove additional field values?

skoelpin — Thu, 05 Apr 2018 15:25:36 GMT

Are you trying to replace it at search time or index time?

This will remove it at search time
| rex mode=sed s/\d+\.\d+\.\d+\.\d+\S+/\d+\.\d+\.\d+\.\d+/g

This will remove it at index time
SEDCMD-remove = ...

Re: How can I remove additional field values?

PowerPacked — Thu, 05 Apr 2018 16:31:50 GMT

Use this REX to extract only IP from it.

| rex field=_raw "(?P\d{0,3}.\d{0,3}.\d{0,3}.\d{0,3}):"

Thanks

Re: How can I remove additional field values?

chrisschum — Thu, 05 Apr 2018 22:24:43 GMT

This worked, thanks! And it was at search time.

One additional question I failed to mention. How can I pass this removal to the additional part of my search below? This removal doesn't appear to change the 'dst' field value with the list command piece, if that makes sense.

| stats count by dst, src | stats list(src), list(dst) by count

Thanks!

Re: How can I remove additional field values?

PowerPacked — Thu, 05 Apr 2018 23:01:05 GMT

Use this search

Your search | rex field=dst "(?P\d{0,3}.\d{0,3}.\d{0,3}.\d{0,3}):" | stats count by IP_Only

Re: How can I remove additional field values?

chrisschum — Thu, 05 Apr 2018 23:16:30 GMT

It's giving me an error message:
Error in 'rex' command: Encountered the following error while compiling the regex '(?P\d{0,3}.\d{0,3}.\d{0,3}.\d{0,3}):': Regex: unrecognized character after (?P

Thanks!

Re: How can I remove additional field values?

skoelpin — Fri, 06 Apr 2018 00:10:51 GMT

So what this is doing is it's finding a pattern and replacing it with just the IP. The rex mode=sed works like this

s/<Regex to find pattern>/<-Replace it with this pattern---->/g

So if you want to apply this to your dest field, you would have to pattern match it like the regex above. Or you can simply extract the the IP from that field and create a new field with it. Paste the pattern of your dest IP and source IP so I can see how they differ

Re: How can I remove additional field values?

chrisschum — Fri, 06 Apr 2018 00:27:09 GMT

Okay, that make sense, thanks!

I'll mess around with it and should be able to come up with what I need based on the information you gave me.

Thanks!

Re: How can I remove additional field values?

skoelpin — Fri, 06 Apr 2018 00:45:46 GMT

Don't forget to accept the answer when this solves your problem!