Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AD FS ip field extraction

jig004
Engager
‎10-02-2018 02:33 PM

Stuck on regex question for Ad FS logs. I am trying to extract all ips following a field ("Client IP: ") in a AD FS log.
My log looks like this (truncated to save space):

10/02/2018 09:22:50 AM
LogName=Security
SourceName=AD FS Auditing
EventCode=411
EventType=0
Type=Information
ComputerName=*
User=*
Sid=*
SidType=1
TaskCategory=Printers
OpCode=Info
RecordNumber=*
Keywords=Audit Failure, Classic
Message=Token validation failed. See inner exception for more details. 

Additional Data 

Activity ID: 00000000-0000-0000-0000-000000000000 

Token Type: 
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName  

Client IP: 
117.31.21.102,2603:1001:750:16::5 

Error message: 
*****

Exception details: 
System.IdentityModel.Tokens.SecurityTokenValidationException: ******
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

So the end result desired is that I get both ip addresses under the field src_ip (so it is multivalue), and that it only tries the regex if it finds the EventCode=411 or 512, etc...

What I have so far is this:

(?ms)(?:\G(?!\A)\s*,\s*|EventCode=411\R.*?\R)\K(?P<src_ip>(?:\d{1,3}\.){3}(?:\d{1,3})|(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}[\d%A-Fa-f.]*(?:::)?|::[\dA-Fa-f.]{1,15}|::) - which was helpfully provided by someone over at stackoverflow.

This works in regex101 and any other regex helper sites. However when applied to splunk it only snateches up the first ip. What am I missing her. I have tested each individual part independently(as much as I could) and they have worked.

Is there a problem with negative lookaheads in Splunk?

Any ideas?

Reply

jwalzerpitt
Influencer
‎08-05-2019 09:34 AM

Did you ever solve this issue?

I tried using | mvexpand src_ipbut that didn't grab all of the IP values

Thx

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-04-2018 07:48 AM

Hi @jig004,

If you have Splunk_TA_windows installed on your search head then it will parse EventCode field and you will able to use below search to extract IP address. In below query regex which I have provided is based on sample data you have provided if you really want to extract all IPv6 range then you need to change regex accordingly.

index=<yourindex> EventCode=411 OR EventCode=512 | rex field=_raw max_match=0 "(?<IP>(?:\d{1,3}\.){1,3}\d{1,3}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3})"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...