How do I parse IPv6 with collapsed zero's and IPv4...

cachexploit · ‎04-27-2022

I am getting IPv6 with collapsed zero's and IPv4 quad (ie "fe80::192.168.10.100") for source and I want to parse out the IPv6 part of that field. What do I need to add in my prop to parse that part out? Thank you for any and all help.

VatsalJagani · ‎05-01-2022

@cachexploit -It seems like there is no space or any other characters between IPv6 address and IPv4 address.

For example:

2001:0db8:0001:0000:0000:0ab9:C0A8:10292.10.10.10

There could be two scenarios here:

IPv6=2001:0db8:0001:0000:0000:0ab9:C0A8:102 & IPv4=92.10.10.10
OR
IPv6=2001:0db8:0001:0000:0000:0ab9:C0A8:10 & IPv4=292.10.10.10

Is this what you are saying. Or Am I missing anything here?

cachexploit · ‎05-02-2022

After doing some more digging it appears that the machines logging into Splunk have IPv6 enabled BUT the sources connecting to those machines do not have IPv6 enabled. So there is the address reporting ::ffff:10.10.10.10, basically stating to the Splunk UF machine that this source is working in IPv4. What I am looking for is how to alter the group logging of these machines so that Splunk parses them correctly and I drops the IPv6 part of this address?

How do I parse IPv6 with collapsed zero's and IPv4 quad to just IPv4

inputs.conf

props.conf

source

universal forwarder

Windows

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases