I've placed tcpdump for my server's interface into a cronjob that is writing the output
to a file. That file is then loaded into Splunk. I'm trying to extract the Source Address and
ports from the tcpdump data, but I'm running into a rex/regex knowledge wall.
17:05:04.419162 IP6 www.espeakers.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:07:00.950849 IP6 jail2.daycos.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:09:06.084146 IP6 greenbee.greenbeefundraising.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:14:07.998611 IP6 pdr-lan.ipv6.xtcn.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
17:19:03.210652 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48
What I'm looking for is the rex syntax that will:
(a) Pull out the Source Address
(b) Pull out the Source Port
(c) Repeat A and B, but on the Destination Address and Port.
I tried the extract wizard, but I can't seem to get it to meet my demands.
Thanks,
Try this:
| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"
This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.
source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc
source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc
Regards and good luck.
Try this:
| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"
This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.
source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc
source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc
Regards and good luck.
Can somebody break out this search so I can create Field Extractions so it's hard coded?
You're welcome, Im glad it worked.
Thank You. This rex statement hit the nail on the spot.