I have a need for the field "dest" to be filled with an ip address that I am extracting from another field, the extraction also fills in the "dest_port"
All attempts to fill in this field with the correct value have failed. I have tried EXTRACT, FIELDALIAS, REPORT
Ways I can get it to show up:
1. Add |extract reload=t to the end of the search
2. Put the extraction's regex directly in the search
I have another nearly identical field that has IP and Port that is being extracted the exact same way working just fine.
Here are my extractions:
transforms.conf:
[srctranslatedtran]
FORMAT = src_translated_ip::$1 src_translated_port::$2
REGEX = (\d+.\d+.\d+.\d+):(\d+)
SOURCE_KEY = original_source
[destinationtran]
FORMAT = dest::$1 dest_port::$2
REGEX = (\d+.\d+.\d+.\d+):(\d+)
SOURCE_KEY = destination
[isafwsw3c]
DELIMS = "\t"
FIELDS = "computer","date","time","ip_protocol","original_source","destination","original_client_ip","source_network","destination_network","action","status","rule","application_protocol","bidirectional","bytes_sent","bytes_sent_intermediate","bytes_received","bytes_received_intermediate","connection_time","connection_time_intermediate","destination_name","username","agent","session_id","connection_id","interface","ip_header","protocol_payload","gmt_time","nis_scan_result","nis_signature","nat_address","fwc_client_fqdn","fwc_app_path","fwc_app_sha1_hash","fwc_app_trust_state","fwc_app_internal_name","fwc_app_product_name","fwc_app_product_version","fwc_app_file_vrsion","fwc_app_original_file_name","internal_service_info","nis_application_protocol"
[setnull]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue
[ISAFirewallStatus]
filename = ISAFirewallStatuses_New.csv
props.conf
[isafwsw3c]
REPORT-isafwsw3c = isafwsw3c
TRANSFORMS-null = setnull
EVAL-host = computer
EVAL-dvc = computer
FIELDALIAS-IP_protocol_to_transport = ip_protocol as transport
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
FIELDALIAS-original_client_IP_as_src = original_client_ip as src
FIELDALIAS-src_network_as_src_interface = source_network as src_interface
FIELDALIAS-destination_network_as_dest_interface = destination_network as dest_interface
FIELDALIAS-application_protocol_as_app = application_protocol as app
FIELDALIAS-bytes_sent_as_bytes_out = bytes_sent as bytes_out
FIELDALIAS-bytes_received_as_bytes_in = bytes_received as bytes_in
TIME_PREFIX = ^[^\t]+\t
TIME_FORMAT = %Y-%m-%d%n%H:%M:%S
TZ = GMT
LOOKUP-ISAFirewallStatus = ISAFirewallStatus code AS status OUTPUT symbolic_name AS signature
EVAL-product = "Microsoft TMG"
REPORT-destinationtran = destinationtran
REPORT-srctranslated = srctranslatedtran
Another alternative (calculated fields) if you want to try
props.conf
[isafwsw3c]
EVAL-someshdest = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\1")
EVAL-someshdest_port = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\2")
Another alternative (calculated fields) if you want to try
props.conf
[isafwsw3c]
EVAL-someshdest = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\1")
EVAL-someshdest_port = replace(destination, "^([\w|\d]+\.[\w|\d]+\.[\w|\d]+\.[\w|\d]+):(\d+)", "\2")
Thanks a ton! took some time but my dest and dest_port are now being populated correctly.