Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

srcip having numeric number

pavanbmishra
Path Finder
‎11-05-2020 09:43 AM

Hi All,

While analyzing the firewall logs, i could see src_ip (src) field taking some numeric number also alognwith actual ip address, sharing the below sample log where it is grabing src is 5864897 the numric one just after PASS. 

Nov 5 17:37:57 abcxyz.com fwlogs:[27999] match PASS 5864897/5893553 IN 60 TCP 10.10.10.10/4655->10.20.20.20/443 S

I extracted field as below for src, still it is not getting parsed and taking numeric value. Kindly help

(TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)/

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:04 PM

Hi @pavanbmishra,

probably your logs are different than the one you shared because the regex is correct:

ppp.png

Could you share other samples?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 10:08 AM

Thanks gcusello,

I try this also, still no luck. same issue

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:04 PM

Hi @pavanbmishra,

probably your logs are different than the one you shared because the regex is correct:

ppp.png

Could you share other samples?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 11:19 PM

Yeah it is, by the way many thanks for being helping hand

Even i try this and it is working on regex101 but not working under extracted field, here is the below sample log

Nov 6 07:13:43 xyz.com dflogs:[13223] match PASS 5864435/5893003 IN 52 TCP 10.10.10.10/62203->10.20.20.20/443 SEW

Also wanted to highlight that src and src_ip field ia already there and i am overwritting the regex using field extraction, would that work? or is there anything else i need to look into here.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:25 PM

Hi @pavanbmishra,

I don't understand why you want to overwrite the srcip value, anyway, the regex is correct and runs also in Splunk not only in regex101

gcusello_0-1604647482264.png

As i said probably there's something different in your logs.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 11:31 PM

Yes  gcusello , exactly it is working in Splunk as well. 

Moto behind creating this filed extraction is there are some numeric values also being captured along with ip address.  And i wanted to exclude those numeric values here. any suggestion would be highly appreciated here

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-06-2020 12:17 AM

Hi @pavanbmishra,

could you explay better this new situation?

what do you mean with "there are some numeric values also being captured along with ip address"?

if you use my above regex you can only take values in IP4 format.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 09:58 AM

Hi @pavanbmishra,

the problem is the final slash "/" that must be escaped:

| rex "(TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)\/"

that you can test at https://regex101.com/r/YTmopO/1

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...