Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Coalesce and CIM Compliant Fields

BP9906
Builder
‎09-25-2015 08:57 AM

Hello,
From a reporting perspective, I have apache logs in a company standard format. Due to load balancing configuration, we have 3 possible fields where the source ip is noted.

These fields are as follows:
clientip (standard source IP field)
X_FORWARDED_IP (x-forwarded-for http header)
ns_client_ip (load balancer's view of source ip)

Since all 3 fields exist in sourcetype=access_combined (apache) logs, how do I coalesce the fields to "src" to make it CIM compliant?

I will mention that Apache logs a hyphen "-" for null field values for the above too.

Thanks for your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-28-2015 12:03 AM

Inside props.conf do this:

EVAL-src = case((clientip != "-"), clientip,  (X_FORWARDED_IP != "-"), X_FORWARDED_IP, (ns_client_ip != "-"), ns_client_ip)

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-28-2015 12:03 AM

Inside props.conf do this:

EVAL-src = case((clientip != "-"), clientip,  (X_FORWARDED_IP != "-"), X_FORWARDED_IP, (ns_client_ip != "-"), ns_client_ip)
Reply
Solved! Jump to solution

BP9906
Builder
‎09-29-2015 08:56 AM

Thanks! Does this go on both indexer and search head?

0 Karma
Reply
Solved! Jump to solution

maraman_splunk
Splunk Employee
Splunk Employee
‎07-19-2017 08:04 AM

this is a search time settings so will have no effect on a indexer (but should be in a TA which will be deployed on both SH and IDX)

0 Karma
Reply
Solved! Jump to solution

domenico_perre
Path Finder
‎09-25-2015 02:52 PM

Looks like the regex is being changed when I post, here is a working one

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

Try this regex as a search time extraction.

0 Karma
Reply
Solved! Jump to solution

BP9906
Builder
‎09-25-2015 07:36 PM

The Regex is fine for IP addresses, but there's no if logic to assess which IP to use since its common to have both clientip and X_FORWARDED_IP present.

0 Karma
Reply
Solved! Jump to solution

domenico_perre
Path Finder
‎09-26-2015 04:00 AM

Can you put an example which may make it easier to understand 🙂

0 Karma
Reply
Solved! Jump to solution

domenico_perre
Path Finder
‎09-25-2015 02:19 PM

Is there a time where all fields will be the same?

0 Karma
Reply
Solved! Jump to solution

BP9906
Builder
‎09-25-2015 02:24 PM

The X_FORWARDED_IP commonly matches clientip or SOURCE_IP, but depending on the load balancer configuration either clientip is "-" or SOURCE_IP is "-", they never match.

0 Karma
Reply
Solved! Jump to solution

domenico_perre
Path Finder
‎09-25-2015 02:33 PM

Regex is your friend .

Create a search time field extraction for the following

\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

This will grab the IP address. click extract new fields and then I prefer to write My own regex.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...