Splunk Search

Cisco eStreamer eNcore Add-on for Splunk v3.6.8 - Error in two EXTRACTs

Path Finder

Cisco eStreamer eNcore Add-on for Splunk v3.6.8 has two EXTRACTs with errors in them.

EXTRACT-extract_src and EXTRACT-extract_dest both have an extraneous equal sign (=) before the start of the regex which means that src_ip and dest_ip don't get extracted. Both are under the [cisco:firepower:syslog] stanza.


I stumbled across the same thing today. Additionally i was wondering, if the regex itself has a mistake aswell. Our Firepower generates logs with the fields SrcIP and DestIP. However, the regexes only match a lowercase "p" at the end.

Original Regex:


EXTRACT-extract_src==^.+SrcIp\:\ (?P<src_ip>[^,;]+)
EXTRACT-extract_dest = =^.+DestIp\:\ (?P<dest_ip>[^,]+)


Fixed Regex (not tested):


EXTRACT-extract_src=^.+SrcIP\:\ (?P<src_ip>[^,;]+)
EXTRACT-extract_dest = ^.+DestIP\:\ (?P<dest_ip>[^,]+)


0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!