topic Finding unique entries in Splunk Search https://community.splunk.com/t5/Splunk-Search/Finding-unique-entries/m-p/104681#M27131 <P>I have syslog data that looks like so:</P> <P><CODE>2013-10-17T12:37:01.608054-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:02.367813-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:03.117860-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:03.867785-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:04.617843-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:05.367849-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:08.349020-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny TCP reverse path check from 192.0.2.1 to 184.28.42.175 on interface MANAGEMENT</CODE></P> <P>I want to run a one-off query against this syslog data to pull out the unique events based on the values of two fields within each event.</P> <P>I'm having a hard time getting the IP addresses which I want to use as the unique values to match against other events. Assuming the field separator is a space character, the IP address fields would be fields 10 and 12 of the sample syslog output above.</P> <P>In shell scripting land, I can simply use awk -F" " '{print $10" "$12)' but is there a way that is just as easy where I can specify the field delimiter and the field positions in Splunk?</P> <P>Am I making any sense here?</P> <P>Essentially what I want to see from this query is that based on the syslog sample above, the following is unique:</P> <P>10.10.23.2 10.10.22.3<BR /> 10.10.23.2 10 .10.22.131<BR /> 192.0.2.1 184.28.42.175</P> <P>The rex and regex stuff is far too complex for my little brain to comprehend, so I'm trying to see if there is a way I can use familiar tools, or concepts from familiar tools to achieve the same results.</P> <P>Thanks in advance!</P> <P>BTW: Using Splunk Enterprise 6.</P> Thu, 17 Oct 2013 16:58:03 GMT jlixfeld 2013-10-17T16:58:03Z Finding unique entries https://community.splunk.com/t5/Splunk-Search/Finding-unique-entries/m-p/104681#M27131 <P>I have syslog data that looks like so:</P> <P><CODE>2013-10-17T12:37:01.608054-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:02.367813-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:03.117860-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:03.867785-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:04.617843-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:05.367849-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT<BR /> 2013-10-17T12:37:08.349020-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny TCP reverse path check from 192.0.2.1 to 184.28.42.175 on interface MANAGEMENT</CODE></P> <P>I want to run a one-off query against this syslog data to pull out the unique events based on the values of two fields within each event.</P> <P>I'm having a hard time getting the IP addresses which I want to use as the unique values to match against other events. Assuming the field separator is a space character, the IP address fields would be fields 10 and 12 of the sample syslog output above.</P> <P>In shell scripting land, I can simply use awk -F" " '{print $10" "$12)' but is there a way that is just as easy where I can specify the field delimiter and the field positions in Splunk?</P> <P>Am I making any sense here?</P> <P>Essentially what I want to see from this query is that based on the syslog sample above, the following is unique:</P> <P>10.10.23.2 10.10.22.3<BR /> 10.10.23.2 10 .10.22.131<BR /> 192.0.2.1 184.28.42.175</P> <P>The rex and regex stuff is far too complex for my little brain to comprehend, so I'm trying to see if there is a way I can use familiar tools, or concepts from familiar tools to achieve the same results.</P> <P>Thanks in advance!</P> <P>BTW: Using Splunk Enterprise 6.</P> Thu, 17 Oct 2013 16:58:03 GMT https://community.splunk.com/t5/Splunk-Search/Finding-unique-entries/m-p/104681#M27131 jlixfeld 2013-10-17T16:58:03Z Re: Finding unique entries https://community.splunk.com/t5/Splunk-Search/Finding-unique-entries/m-p/104682#M27132 <P>Rex is pretty simple once you get the hang of it. Try something like this:</P> <PRE><CODE>... | rex field=_raw "(?&lt;arg1&gt;.*?)\s(?&lt;arg2&gt;.*?)\s(?&lt;arg3&gt;.*?) Deny TCP reverse path check from (?&lt;From&gt;.*?) to (?&lt;To&gt;.*?) on interface (?&lt;interface&gt;.*?)" | dedup From, To | table From, To </CODE></PRE> <P>Someone else may have a more elegant solution.</P> Thu, 17 Oct 2013 17:57:27 GMT https://community.splunk.com/t5/Splunk-Search/Finding-unique-entries/m-p/104682#M27132 richgalloway 2013-10-17T17:57:27Z