How to adjust the parser in Splunk to look for thi...

rh71rdu · ‎07-26-2022

Hi!

I have a stream of (Syslog) data coming from my Router via UDP into my workstation that is received and parsed by Splunk into fields, to identify (mostly) attempts to breach my router’s firewall by outside servers.

Unfortunately the syslog stream consistently omits a space or Tab between the MAC address ‘item‘ and the source ip ‘item‘ like this:

…OUT= MAC=00:00:00:00:00:00:8484:26:2b:9b:ea:bd:src=31.220.1.83…

which causes all SRC IP address field to remain unparsed.

If I could instruct Splunk to look instead for “:src=xx.xxx.xxx.xxx” or cleanse the data stream by converting all “:src=“ into “: src=“ (note the space) I think my Splunk Search will begin interpreting these ‘rogue’ Source IP fields and reveal some interesting attempts to access my network.

Does anyone know how to adjust the parser in Splunk to look for things without a space or to cleanse the datastream before it is parsed?

Thanks,

Rob

matt8679 · ‎08-04-2022

Hi,

So you can easily change this at search time with a regex.

Try something like this:

Your main search |rex field=_raw "src\=(?<src>\d+\.\d+\.\d+\.\d+)"

How to adjust the parser in Splunk to look for things without space or to cleanse the datastream before parsed?

configuration

troubleshooting

using Splunk Enterprise

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation