Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

srcip having numeric number

pavanbmishra
Path Finder
‎11-05-2020 09:43 AM

Hi All,

While analyzing the firewall logs, i could see src_ip (src) field taking some numeric number also alognwith actual ip address, sharing the below sample log where it is grabing src is 5864897 the numric one just after PASS. 

Nov 5 17:37:57 abcxyz.com fwlogs:[27999] match PASS 5864897/5893553 IN 60 TCP 10.10.10.10/4655->10.20.20.20/443 S

I extracted field as below for src, still it is not getting parsed and taking numeric value. Kindly help

(TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)/

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:04 PM

Hi @pavanbmishra,

probably your logs are different than the one you shared because the regex is correct:

ppp.png

Could you share other samples?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 10:08 AM

Thanks gcusello,

I try this also, still no luck. same issue

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:04 PM

Hi @pavanbmishra,

probably your logs are different than the one you shared because the regex is correct:

ppp.png

Could you share other samples?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 11:19 PM

Yeah it is, by the way many thanks for being helping hand

Even i try this and it is working on regex101 but not working under extracted field, here is the below sample log

Nov 6 07:13:43 xyz.com dflogs:[13223] match PASS 5864435/5893003 IN 52 TCP 10.10.10.10/62203->10.20.20.20/443 SEW

Also wanted to highlight that src and src_ip field ia already there and i am overwritting the regex using field extraction, would that work? or is there anything else i need to look into here.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:25 PM

Hi @pavanbmishra,

I don't understand why you want to overwrite the srcip value, anyway, the regex is correct and runs also in Splunk not only in regex101

gcusello_0-1604647482264.png

As i said probably there's something different in your logs.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 11:31 PM

Yes  gcusello , exactly it is working in Splunk as well. 

Moto behind creating this filed extraction is there are some numeric values also being captured along with ip address.  And i wanted to exclude those numeric values here. any suggestion would be highly appreciated here

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-06-2020 12:17 AM

Hi @pavanbmishra,

could you explay better this new situation?

what do you mean with "there are some numeric values also being captured along with ip address"?

if you use my above regex you can only take values in IP4 format.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 09:58 AM

Hi @pavanbmishra,

the problem is the final slash "/" that must be escaped:

| rex "(TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)\/"

that you can test at https://regex101.com/r/YTmopO/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...