All Apps and Add-ons

Splunk_TA_cisco-esa src_ip parses incorrectly


The src_ip field in the Cisco ESA TA is not parsing correctly. I usually only get the last two digits of an IP address.

Original parser in stanza:

REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.*[\s\(]*(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3

I think the issue is that a greedy match is used where a non-greedy match should be used:

.* = greedy
.*? = non-greedy

See the revision below with the non-greedy match: "interface\s+.*?[\s(]"

REGEX = (?:DCID|ICID)\s+\d+\s+interface\s+.*?[\s\(]*(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3

Check out the regex101 link below to verify the non-greedy match:

Splunk Employee
Splunk Employee

Yes, this was also reported here:

I have just added a Known Issue to the documentation here: so that you can follow along as this gets fixed.


Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...