All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Two same fields info from output, how to distinguish between

uunetcyoon
Explorer
‎09-11-2012 06:28 PM

Hi, I just start to use Splunk and stuck on some issue.
I got syslog messages from firewall(src 192.168.77.1) and it is related to "Blocked Web sites" message. I was trying to make daily report based one user's source IP address to attempt blocking sites, but when I put new search string with 'src'. It kept getting firewall src IP instead of user src IP. How do you make Splunk distinguishs those?

Here is raw info and there are two 'src'.

Sep 11 20:15:36 192.168.77.1 Sep 11 20:15:39 2012 zywall src="192.168.88.126:60122" dst="67.228.197.199:80" msg="URL:fs.teamlava.com/api.php?cv=2.0.1&method=getBoardForProfileId&ctx=SocialViewController&nflrt=2012-09-06%2019%3A52%3A25&st=24" note="WEB DEBUG" user="unknown" devID="5067f0181086" cat="Blocked Web Sites"
host=192.168.77.1 Options| source=udp:514 Options| date_hour=20 Options| src=192.168.77.1 Options| user=unknown

Any advice will be really appreciated.
Thank you
Chris

Tags (2)
Reply

jonuwz
Influencer
‎09-12-2012 03:56 AM

You might want to do this in your search like this :

 | rex "src=(?<sources>[0-9.]+)" max_match=2 | eval src1=mvindex(sources,0) | eval src2=mvindex(sources,-1) | table src1 src2

If this is a regular thing, then you might want to look at this

The MV_ADD directive tells splunk to make fields multivalue if a field is repeated.

Reply

uunetcyoon
Explorer
‎09-12-2012 02:32 PM

Thank you for the comments and you are right your suggestion is useful on event by event basis. I learned some logic from your search string. Really appreciated it.
By the way, I found what I want thru "interactive extract field" option and regex pattern for the second 'src'/user is (?i) src="(?P[^:]+). I have not put props.conf or trasforms.conf yet.
Now I know how I can customize raw data.

Again, thank you for your help.

0 Karma
Reply

jonuwz
Influencer
‎09-12-2012 01:03 PM

No. The extracion is done on an event by event basis.

With this extraction, every result will have a src1 and a src2

So, if i'm reading the question correctly, src1 will be the firewall IP and src2 will be the user IP.

If you have a specific search requirement (like listing the top user IPs) post it up..

Reply

uunetcyoon
Explorer
‎09-12-2012 12:38 PM

John,
Thank you for your time and answer.
I just tried your suggestion and realized that src2 stuck with one IP value. About 120 users in my network, meaning 120 IP addresses can be on src2. Do i need to create eval src2, src3, src4, src5 ......src120???
As you suggested, I am reviewing MV_ADD option, but I guess I will take a time to apply.

Thank you
Chris

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...