topic Re: Need help defining fields in Splunk Search

Need help defining fields

johnnybravo — Wed, 12 Oct 2011 16:39:14 GMT

I want to use dedup to reduce occurrences of the same event like the following:

%IP-4-DUPADDR: Duplicate address 1.1.1.1 on Vlan100, sourced by 0000.5ee5.deed

However if the IP address, VLAN, or MAC address is different then I don't want to dedup it. I tried defining the whole block of text as a field, but that doesn't appear to work. It seems like a field cannot include spaces.

How do I go about defining this so that if the message is of type IP-4-DUPADDR and the address info is the same, dedup it?

Re: Need help defining fields

Ayn — Wed, 12 Oct 2011 16:53:10 GMT

Fields can absolutely contain spaces! There is no such limitation.

When you say the fields are "the same" or "different", what is that in comparison to, the previous event? Anyway, you can either extract the whole string like you say, or you can dedup based on all fields.

Re: Need help defining fields

dwaddle — Wed, 12 Oct 2011 16:54:54 GMT

I might approach it similar to this:

IP-4-DUPADDR 
| rex "Duplicate address (?<ipaddr>[^\s]+) on (?<vlan>[^\s]+) sourced by (?<macaddr>[^\s]+)
| dedup 1 vlan,ipaddr,macaddr

Re: Need help defining fields

johnnybravo — Wed, 12 Oct 2011 17:17:45 GMT

Good to know they can contain spaces. I think my problem is getting the comma to delimit correctly. If I enclose the entire example message above with # in the field picker, it finds no results. If I don't add the #, it wants to add two fields, before and after the comma.

Yes, they would be the same or different in comparison to previous events for that host.

Thanks for the reply!

Re: Need help defining fields

johnnybravo — Wed, 12 Oct 2011 17:47:57 GMT

Thank you, that works!