Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract source and destination IP fields?

rootchin
Engager
‎03-01-2017 08:23 AM

I am trying to configure various search fields for a firewall log from the field extractor but Splunk is pulling up some incorrect results. Any help would be appreciated. The two images are examples of the logs.

Here is the expression that incorrectly pulls up some results.

^[^/\n]*/(?P[^\(]+)

alt text

alt text

Preview file
1 KB
Preview file
1 KB
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎03-01-2017 12:31 PM

First Extraction: https://regex101.com/r/CFOb1y/1
Second Extraction: https://regex101.com/r/43d4OA/1

Obviously, if you provide a full log, I could help more, but this should get you started.

Also, check this out: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Scrub

And if you want a CIM compliant TA for Cisco ASA, I would try: https://splunkbase.splunk.com/app/1620/

Odds are, the Splunk extractions are better.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2017 08:54 AM

What results are you getting and what do you expect?

A copy-and-paste of the event text is more helpful than a screen shot.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hgrow
Communicator
‎03-01-2017 09:25 AM

As richgalloway mentioned copy past would be usefull. By the title I assume you are looking for the source and destination fields.

For your first example inside:(?<src_ip>[^\/]+)\/(?<src_port>\d+) dst outside:(?<dest_ip>[^\/]+)\/(?<dest_port>\d+) might be a fitting regex. 

something something ... deny tcp src inside:123.123.123.123/444 dst outside:111.222.333.444/555 ....

I personally would go with another extraction for your other example since both events are not quite similar but I'm sure someone else would combine both.

For the second example permitted \w+ \w+\/(?<src_ip>[^\(]+)\(\w+\) -> outside\/(?<dest_ip>[^\(]+) might fit. 

something something ... permitted udp dmz/111.222.333.444(123) -> outside/123.123.123.123(123) ....
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...