https://community.splunk.com/t5/Splunk-Search/IPV6-address-field-extraction-issue/m-p/22757#M3956 <P>Hi everybody,</P> <P>I am trying to use splunk&gt; to extract some information from a set of IIS log files. Basically, I am working on a IPV6 vs IPV4 report. Yesterday, I did some tests at home, and everything worked fine. However, today at customer site, I have detected an strange behavior on splunk&gt;</P> <P>I have attached a picture so you can easily see what I am talking about:</P> <P><IMG src="http://i55.tinypic.com/mhx5i.png" alt="alt text" /></P> <P>Here it is the picture if does not fit on your browser:</P> <P><A href="http://i55.tinypic.com/mhx5i.png">http://i55.tinypic.com/mhx5i.png</A></P> <P>Apparently, splunk&gt; tries to shrink the IPV6 address, but it uses :: even though the real address is not filled with zeros. And therefore, my regExp does not work fine, because it is for fully fledged IPV6 addresses. Anyway, I could work in other regExp but the main point is that I am afraid splunk&gt; is not indexing the information properly, shrinking IPV6 addresses when is not allowed.</P> <P>Thanks in advance</P> Mon, 06 Jun 2011 12:31:59 GMT mihe 2011-06-06T12:31:59Z https://community.splunk.com/t5/Splunk-Search/IPV6-address-field-extraction-issue/m-p/22757#M3956 <P>Hi everybody,</P> <P>I am trying to use splunk&gt; to extract some information from a set of IIS log files. Basically, I am working on a IPV6 vs IPV4 report. Yesterday, I did some tests at home, and everything worked fine. However, today at customer site, I have detected an strange behavior on splunk&gt;</P> <P>I have attached a picture so you can easily see what I am talking about:</P> <P><IMG src="http://i55.tinypic.com/mhx5i.png" alt="alt text" /></P> <P>Here it is the picture if does not fit on your browser:</P> <P><A href="http://i55.tinypic.com/mhx5i.png">http://i55.tinypic.com/mhx5i.png</A></P> <P>Apparently, splunk&gt; tries to shrink the IPV6 address, but it uses :: even though the real address is not filled with zeros. And therefore, my regExp does not work fine, because it is for fully fledged IPV6 addresses. Anyway, I could work in other regExp but the main point is that I am afraid splunk&gt; is not indexing the information properly, shrinking IPV6 addresses when is not allowed.</P> <P>Thanks in advance</P> Mon, 06 Jun 2011 12:31:59 GMT https://community.splunk.com/t5/Splunk-Search/IPV6-address-field-extraction-issue/m-p/22757#M3956 mihe 2011-06-06T12:31:59Z https://community.splunk.com/t5/Splunk-Search/IPV6-address-field-extraction-issue/m-p/22758#M3957 <P>I don't think that Splunk is mangling your field value but rather that the "c_ip" field is not extracted from the location you expect in the event :</P> <P><IMG src="http://i53.tinypic.com/awx8vc.png" alt="alt text" /></P> <P>It looks like some app that you have installed is performing the extraction of the "c_ip" field by default. I would recommend that you check the other fields extracted, as one of them might contain the value you care about but under a field name other than "c_ip".</P> <P>Finally, if the value you care for is not being extracted at all, I recommend that you create your own field extraction following these instructions from our online documentation :</P> <P><A href="http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime">http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime</A></P> <P>...and using one of these fine regular expressions tailored for IPv6 addresses :</P> <P><A href="http://splunk-base.splunk.com/answers/8435/ipv6-addresses-parsed-properly">http://splunk-base.splunk.com/answers/8435/ipv6-addresses-parsed-properly</A></P> Tue, 07 Jun 2011 10:31:23 GMT https://community.splunk.com/t5/Splunk-Search/IPV6-address-field-extraction-issue/m-p/22758#M3957 hexx 2011-06-07T10:31:23Z