Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field value combine from auto extracted value

sumitkathpal292
New Member
‎05-05-2018 03:18 AM

Hi All,

We have endpoint logs by default logs are in JSON format field which are auto extracted however we have two field name Protocol(tcp,udp etc) and RemotePort(443,8080 ,53 etc) . Actually we want dest_port=Protocol/RemotePort Example output tcp/443.

Sample log

{"ConfigBuild":"1000.1.0006507.1","ConfigStateHash":"118807017","ConnectionDirection":"0","ConnectionFlags":"0","ContextProcessId":"124283148110857432","ContextTimeStamp":"1122143620.880","EffectiveTransmissionClass":"3","Entitlements":"15","InContext":"0","LocalAddressIP4":"10.0.0.34","LocalPort":"52022","Protocol":"6","RemoteAddressIP4":"10.0.0.1","RemotePort":"443","aid":"a50f3aab996345f46510ec2f4c12b399","aip":"13.70.190.121","cid":"07b2sf7ss17147df10j15ggb6d7010tc","event_platform":"Win","event_simpleName":"NetworkConnectIP4","id":"ac8b80b5-4s36-10f8-000c-061014bed5be","name":"NetworkConnectIP4V5","timestamp":"1525175921212"}

Can we use existing extracted fields which are Protocol and RemotePort somehow map with desired field which is dest_port=Protocol/RemotePort or kindly help me to extract the field value.

Thanks in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-05-2018 05:14 AM

hello there,

you can create a string from both fields.
something like this:
... | eval combined = Protocol. "/" .RemotePort" ...
try this search anywhere:

| makeresults count=1 
| eval data="TCP,8000 UDP,514 TCP,9997 UDP,1514"
| makemv delim=" " data
| mvexpand data
| rex field=data "(?<Protocol>\w+),(?<Port>\d+)"
| fields Port Protocol
| eval combined = Protocol. "/" .Port

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎05-05-2018 05:14 AM

hello there,

you can create a string from both fields.
something like this:
... | eval combined = Protocol. "/" .RemotePort" ...
try this search anywhere:

| makeresults count=1 
| eval data="TCP,8000 UDP,514 TCP,9997 UDP,1514"
| makemv delim=" " data
| mvexpand data
| rex field=data "(?<Protocol>\w+),(?<Port>\d+)"
| fields Port Protocol
| eval combined = Protocol. "/" .Port

hope it helps

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...