Splunk Search

IPV6 address field extraction issue

Engager

Hi everybody,

I am trying to use splunk> to extract some information from a set of IIS log files. Basically, I am working on a IPV6 vs IPV4 report. Yesterday, I did some tests at home, and everything worked fine. However, today at customer site, I have detected an strange behavior on splunk>

I have attached a picture so you can easily see what I am talking about:

alt text

Here it is the picture if does not fit on your browser:

http://i55.tinypic.com/mhx5i.png

Apparently, splunk> tries to shrink the IPV6 address, but it uses :: even though the real address is not filled with zeros. And therefore, my regExp does not work fine, because it is for fully fledged IPV6 addresses. Anyway, I could work in other regExp but the main point is that I am afraid splunk> is not indexing the information properly, shrinking IPV6 addresses when is not allowed.

Thanks in advance

Splunk Employee
Splunk Employee

I don't think that Splunk is mangling your field value but rather that the "c_ip" field is not extracted from the location you expect in the event :

alt text

It looks like some app that you have installed is performing the extraction of the "c_ip" field by default. I would recommend that you check the other fields extracted, as one of them might contain the value you care about but under a field name other than "c_ip".

Finally, if the value you care for is not being extracted at all, I recommend that you create your own field extraction following these instructions from our online documentation :

http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime

...and using one of these fine regular expressions tailored for IPv6 addresses :

http://splunk-base.splunk.com/answers/8435/ipv6-addresses-parsed-properly