Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove and isolate the SRC_ADDR and Port from a tcpdump

albyva
Communicator
‎12-18-2013 09:21 PM

I've placed tcpdump for my server's interface into a cronjob that is writing the output
to a file. That file is then loaded into Splunk. I'm trying to extract the Source Address and
ports from the tcpdump data, but I'm running into a rex/regex knowledge wall.

17:05:04.419162 IP6 www.espeakers.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:07:00.950849 IP6 jail2.daycos.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:09:06.084146 IP6 greenbee.greenbeefundraising.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:14:07.998611 IP6 pdr-lan.ipv6.xtcn.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:19:03.210652 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

What I'm looking for is the rex syntax that will:

(a) Pull out the Source Address
(b) Pull out the Source Port
(c) Repeat A and B, but on the Destination Address and Port.

I tried the extract wizard, but I can't seem to get it to meet my demands.

Thanks,

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-18-2013 10:13 PM

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

View solution in original post

Reply
Solved! Jump to solution
Solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-18-2013 10:13 PM

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

Reply
Solved! Jump to solution

albyva
Communicator
‎04-25-2014 11:56 AM

Can somebody break out this search so I can create Field Extractions so it's hard coded?

0 Karma
Reply
Solved! Jump to solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 07:01 AM

You're welcome, Im glad it worked.

Reply
Solved! Jump to solution

albyva
Communicator
‎12-19-2013 04:39 AM

Thank You. This rex statement hit the nail on the spot.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...