Getting Data In

How to remove ::ffff: from the windows events logs at indexing time and in Search?

kiran331
Builder

Hi

How to remove the ::ffff: before all the src_ip's and src in the windows event logs? What Regex I have to use in search to remove ::ffff:?

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

Try this in your search

base search | rex mode=sed field=src_ip "s/::ffff://g" | rex mode=sed field=src "s/::ffff://g"

OR you can create calculated fields https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/CreatecalculatedfieldswithSplunkWeb using replace, like this

eval src_ip=replace(src_ip, "::ffff:", "") 

(and similarly from src field

View solution in original post

sundareshr
Legend

Try this in your search

base search | rex mode=sed field=src_ip "s/::ffff://g" | rex mode=sed field=src "s/::ffff://g"

OR you can create calculated fields https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/CreatecalculatedfieldswithSplunkWeb using replace, like this

eval src_ip=replace(src_ip, "::ffff:", "") 

(and similarly from src field

coltwanger
Contributor

This is what's in my props.conf:

[WinEventLog:Security]
SEDCMD-02_clean_empty_ipv6_address = s/::ffff://g

0 Karma

kiran331
Builder

I added this in props.conf in the add_on that deployed to all servers, Its still showing ::ffff: beore all Ip's

0 Karma

woodcock
Esteemed Legend

This kind of change must be deployed to your Indexer tier.

0 Karma

WumboJumbo675
Explorer

What do you mean by the Indexer tier? Where would that be located in the file structure on a Windows syslog server?

0 Karma

lukejadamec
Super Champion

You might be able to use the SEDCMD. Can you post an example event or event number?

0 Karma

kiran331
Builder

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Information
ComputerName=****
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
RecordNumber=*****
Keywords=Audit Success
Message=A Kerberos service ticket was requested.

Account Information:
Account Name: *********
Account Domain: *************
Logon GUID: {1D0DDE0-5DDB-BCC0-0C86-78CCVVBFCF3BC}

Service Information:
Service Name: *********$
Service ID: *
********$

Network Information:
Client Address: ::ffff:30.21.26.28
Client Port: 52380

Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...