Field value combine from auto extracted value

sumitkathpal292 — Tue, 29 Sep 2020 19:25:31 GMT

Hi All,

We have endpoint logs by default logs are in JSON format field which are auto extracted however we have two field name Protocol(tcp,udp etc) and RemotePort(443,8080 ,53 etc) . Actually we want dest_port=Protocol/RemotePort Example output tcp/443.

Sample log

{"ConfigBuild":"1000.1.0006507.1","ConfigStateHash":"118807017","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"124283148110857432","ContextTimeStamp":"1122143620.880","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"10.0.0.34","LocalPort":"52022","Protocol":"6","RemoteAddressIP4":"10.0.0.1","RemotePort":"443","aid":"a50f3aab996345f46510ec2f4c12b399","aip":"13.70.190.121","cid":"07b2sf7ss17147df10j15ggb6d7010tc","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ac8b80b5-4s36-10f8-000c-061014bed5be","name":"NetworkConnectIP4V5","timestamp":"1525175921212"}

Can we use existing extracted fields which are Protocol and RemotePort somehow map with desired field which is dest_port=Protocol/RemotePort or kindly help me to extract the field value.

Thanks in advance

Re: Field value combine from auto extracted value

adonio — Sat, 05 May 2018 12:14:16 GMT

hello there,

you can create a string from both fields.
something like this:
... | eval combined = Protocol. "/" .RemotePort" ...
try this search anywhere:

| makeresults count=1 
| eval data="TCP,8000 UDP,514 TCP,9997 UDP,1514"
| makemv delim=" " data
| mvexpand data
| rex field=data "(?<Protocol>\w+),(?<Port>\d+)"
| fields Port Protocol
| eval combined = Protocol. "/" .Port

hope it helps

topic Re: Field value combine from auto extracted value in Splunk Search

Field value combine from auto extracted value

Re: Field value combine from auto extracted value