Splunk Search

How to fill a field with an ip address extracted from another field?

aelliott
Motivator

I have a need for the field "dest" to be filled with an ip address that I am extracting from another field, the extraction also fills in the "dest_port"

All attempts to fill in this field with the correct value have failed. I have tried EXTRACT, FIELDALIAS, REPORT

Ways I can get it to show up:
1. Add |extract reload=t to the end of the search
2. Put the extraction's regex directly in the search

I have another nearly identical field that has IP and Port that is being extracted the exact same way working just fine.

Here are my extractions:
transforms.conf:

[srctranslatedtran]
FORMAT = src_translated_ip::$1 src_translated_port::$2
REGEX = (\d+.\d+.\d+.\d+):(\d+)
SOURCE_KEY = original_source

[destinationtran]
FORMAT = dest::$1 dest_port::$2
REGEX =  (\d+.\d+.\d+.\d+):(\d+)
SOURCE_KEY = destination

[isafwsw3c]
DELIMS = "\t"
FIELDS = "computer","date","time","ip_protocol","original_source","destination","original_client_ip","source_network","destination_network","action","status","rule","application_protocol","bidirectional","bytes_sent","bytes_sent_intermediate","bytes_received","bytes_received_intermediate","connection_time","connection_time_intermediate","destination_name","username","agent","session_id","connection_id","interface","ip_header","protocol_payload","gmt_time","nis_scan_result","nis_signature","nat_address","fwc_client_fqdn","fwc_app_path","fwc_app_sha1_hash","fwc_app_trust_state","fwc_app_internal_name","fwc_app_product_name","fwc_app_product_version","fwc_app_file_vrsion","fwc_app_original_file_name","internal_service_info","nis_application_protocol"

[setnull]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[ISAFirewallStatus]
filename = ISAFirewallStatuses_New.csv

props.conf

[isafwsw3c]
REPORT-isafwsw3c = isafwsw3c
TRANSFORMS-null = setnull
EVAL-host = computer
EVAL-dvc = computer
FIELDALIAS-IP_protocol_to_transport = ip_protocol as transport
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
FIELDALIAS-original_client_IP_as_src = original_client_ip as src
FIELDALIAS-src_network_as_src_interface = source_network as src_interface
FIELDALIAS-destination_network_as_dest_interface = destination_network as dest_interface
FIELDALIAS-application_protocol_as_app = application_protocol as app
FIELDALIAS-bytes_sent_as_bytes_out = bytes_sent as bytes_out
FIELDALIAS-bytes_received_as_bytes_in = bytes_received as bytes_in
TIME_PREFIX = ^[^\t]+\t
TIME_FORMAT = %Y-%m-%d%n%H:%M:%S
TZ = GMT
LOOKUP-ISAFirewallStatus = ISAFirewallStatus code AS status OUTPUT symbolic_name AS signature
EVAL-product = "Microsoft TMG"
REPORT-destinationtran = destinationtran
REPORT-srctranslated = srctranslatedtran
1 Solution

somesoni2
Revered Legend

Another alternative (calculated fields) if you want to try

props.conf

[isafwsw3c]
EVAL-someshdest = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\1")
EVAL-someshdest_port = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\2")

View solution in original post

somesoni2
Revered Legend

Another alternative (calculated fields) if you want to try

props.conf

[isafwsw3c]
EVAL-someshdest = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\1")
EVAL-someshdest_port = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\2")

aelliott
Motivator

Thanks a ton! took some time but my dest and dest_port are now being populated correctly.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...