Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding unique entries

jlixfeld
Path Finder
‎10-17-2013 09:58 AM

I have syslog data that looks like so:

2013-10-17T12:37:01.608054-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT
2013-10-17T12:37:02.367813-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT
2013-10-17T12:37:03.117860-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT
2013-10-17T12:37:03.867785-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT
2013-10-17T12:37:04.617843-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.3 on interface SYSTEMS-MANAGEMENT
2013-10-17T12:37:05.367849-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny SCTP reverse path check from 10.10.23.2 to 10.10.22.131 on interface SYSTEMS-MANAGEMENT
2013-10-17T12:37:08.349020-04:00 fw01.77MowatAv01.YYZ %ASA-1-106021: Deny TCP reverse path check from 192.0.2.1 to 184.28.42.175 on interface MANAGEMENT

I want to run a one-off query against this syslog data to pull out the unique events based on the values of two fields within each event.

I'm having a hard time getting the IP addresses which I want to use as the unique values to match against other events. Assuming the field separator is a space character, the IP address fields would be fields 10 and 12 of the sample syslog output above.

In shell scripting land, I can simply use awk -F" " '{print $10" "$12)' but is there a way that is just as easy where I can specify the field delimiter and the field positions in Splunk?

Am I making any sense here?

Essentially what I want to see from this query is that based on the syslog sample above, the following is unique:

10.10.23.2 10.10.22.3
10.10.23.2 10 .10.22.131
192.0.2.1 184.28.42.175

The rex and regex stuff is far too complex for my little brain to comprehend, so I'm trying to see if there is a way I can use familiar tools, or concepts from familiar tools to achieve the same results.

Thanks in advance!

BTW: Using Splunk Enterprise 6.

Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2013 10:57 AM

Rex is pretty simple once you get the hang of it. Try something like this:

... | rex field=_raw "(?<arg1>.*?)\s(?<arg2>.*?)\s(?<arg3>.*?) Deny TCP reverse path check from (?<From>.*?) to (?<To>.*?) on interface (?<interface>.*?)" | dedup From, To | table From, To

Someone else may have a more elegant solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...