Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Capture and remove zeros from ipv4 address

stavbergen
Explorer
‎09-09-2021 08:38 PM

Hello I'm trying to capture the ip address from the PXE log example shown. I want to also trim any preceding 0 so I can use the ip as an index. I feel I'm pretty close on this one.

Log sample:
Operation: BootRequest (1) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 0001E240
Sec Since Boot: 65535 Client IP: 018.087.789.006 Your IP: 000.000.000.000 Server IP: 178.187.178.874 Relay Agent IP: 000.000.000.000
Addr: 87:f3:78:a5:78:b2:
Magic Cookie: 63878263

Splunk Search:
index="*********" source="D:\\SMS_DP$\\sms\\logs\\SMSPXE.log" | rex field=_raw "Addr: (?<Time>\d.{16})" | rex field=_raw "Addr: (?<PXE_MAC>\d.{16})" | rex field=_raw "Type=97 UUID: (?<PXE_UUID>\d.{33})" |
rex field=_raw "Client IP: (?<PXE_IP>\d.{14})" | rex field=PXE_IP "^(?<PXE_IP_MOD>\b0+(\d+))" | rex field=_raw " date=\"(?<PXE_Date>\d.{9})" | rex field=_raw "><time=\"(?<PXE_Time>\d.{7})" | rex field=_raw "Type=53 Msg Type: (?<PXE_Traffic>\w.{4})" | rex field=_raw "Type=93 Client Arch: (?<PXE_Arch>\w.{3})" | where isnotnull(PXE_Traffic) | rename host as PXE_Host | table PXE_Host,PXE_Traffic,PXE_MAC,PXE_IP,PXE_IP_MOD,PXE_UUID,PXE_Arch,PXE_Date,PXE_Time | sort by PXE_Date, PXE_Time desc

Regex:
regex101: build, test, and debug regex

PXE-Splunk-Capture.PNG

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-09-2021 10:56 PM

Hi

you could try with this https://regex101.com/r/fsQG46/1 (You can save your regex and refer it with this kind of URL). I fixed those is addresses to correct format.

...
| rex "Client IP: (?<PXE_IP>[0-2]\d\d\.[0-2]\d\d\.[0-2]\d\d\.[0-2]\d\d)"
| eval PXE_IP_ORG = PXE_IP
| rex mode=sed field=PXE_IP "s/(^|\.)[0]+/\1/g"
| table PXE_IP_ORG PXE_IP

previous seems to be working with correct IP address schema.

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

stavbergen
Explorer
‎09-09-2021 11:34 PM

Thankyou solution worked!

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-09-2021 10:56 PM

Hi

you could try with this https://regex101.com/r/fsQG46/1 (You can save your regex and refer it with this kind of URL). I fixed those is addresses to correct format.

...
| rex "Client IP: (?<PXE_IP>[0-2]\d\d\.[0-2]\d\d\.[0-2]\d\d\.[0-2]\d\d)"
| eval PXE_IP_ORG = PXE_IP
| rex mode=sed field=PXE_IP "s/(^|\.)[0]+/\1/g"
| table PXE_IP_ORG PXE_IP

previous seems to be working with correct IP address schema.

r. Ismo 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...