https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79250#M181717 <P>Can I use all 6 of these patterns and combine them into a single 'type' called 'IPv6 address'?</P> Tue, 16 Dec 2014 19:44:45 GMT stefanlasiewski 2014-12-16T19:44:45Z https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79245#M181712 <P>Does splunk have any issues with parsing out IPv6 addresses from firewall events? I guess it all depends on how the transforms are written and how the fields are delimited (Cisco App written to parse IPv6).</P> <P>Has anyone successfully parsed IPv6 or noticed any issues or caveats that we should be aware of?</P> Thu, 28 Oct 2010 01:39:31 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79245#M181712 EricPartington 2010-10-28T01:39:31Z https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79246#M181713 <P>There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)</P> <H3>Full IPv6 address:</H3> <P><CODE></CODE><PRE><CODE><B>fe80:0000:0000:0000:0000:0000:c0a8:a64</B></CODE></PRE> Regex to match and return full address as $1: </P> <P><CODE></CODE><PRE><CODE><B>([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})</B></CODE></PRE><BR /></P> <H3>IPv6 drop leading zero's:</H3> <P><CODE></CODE><PRE><CODE><STRONG>fe80:0:0:0:0:0:c0a8:a64</STRONG></CODE></PRE> Regex to match and return full address as $1 (yes, its the same as the above): <CODE></CODE><PRE><CODE><B>([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})</B></CODE></PRE><BR /></P> <H3>IPv6 collapse multiple zero's:</H3> <P><CODE></CODE><PRE><CODE><STRONG>fe80::c0a8:a64</STRONG></CODE></PRE> Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64): <CODE></CODE><PRE><CODE><B>(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)</B></CODE></PRE><BR /><BR /></P> <P>To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.</P> <H3>Full IPv6 with IPv4 quad:</H3> <P><CODE></CODE><PRE><CODE><STRONG>fe80:0000:0000:0000:0000:0000:192.168.10.100</STRONG></CODE></PRE> Regex to match: <CODE></CODE><PRE><CODE><B>([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) </B></CODE></PRE><BR /></P> <H3>IPv6 dropping leading zero's with IPv4 quad:</H3> <P><CODE></CODE><PRE><CODE><STRONG>fe80:0:0:0:0:0:192.168.10.100</STRONG></CODE></PRE> Regex to match (same as above): <CODE></CODE><PRE><CODE><B> ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3}) </B></CODE></PRE><BR /></P> <H3>IPv6 with collapsed zero's and IPv4 quad:</H3> <P><CODE></CODE><PRE><CODE><STRONG>fe80::192.168.10.100</STRONG></CODE></PRE> Regex to match: <CODE></CODE><PRE><CODE><B>(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3}) </B></CODE></PRE><BR /></P> <P>Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.</P> Mon, 29 Nov 2010 20:54:54 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79246#M181713 Rob 2010-11-29T20:54:54Z https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79247#M181714 <P>Certainly some example IPv6 addresses in the events themselves would be useful....</P> Mon, 29 Nov 2010 22:59:12 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79247#M181714 araitz 2010-11-29T22:59:12Z https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79248#M181715 <P>Note that the IETF has proposed <A href="http://tools.ietf.org/html/rfc5952">RFC 5952</A> to "define a canonical textual representation format" across all systems and codes. Currently, IPv6 is difficult to parse, and the wide range of regex rules is going to leave holes in many apps. Hopefully RFC 5952 will bring some sanity to this mess.</P> Tue, 20 Mar 2012 00:35:31 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79248#M181715 stefanlasiewski 2012-03-20T00:35:31Z https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79249#M181716 <P>How do you use these in an actual search?</P> Mon, 18 Mar 2013 19:16:28 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79249#M181716 jtrucks 2013-03-18T19:16:28Z https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79250#M181717 <P>Can I use all 6 of these patterns and combine them into a single 'type' called 'IPv6 address'?</P> Tue, 16 Dec 2014 19:44:45 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-addresses-parsed-properly/m-p/79250#M181717 stefanlasiewski 2014-12-16T19:44:45Z