Splunk Search

IPV6 address field extraction issue

Engager

Hi everybody,

I am trying to use splunk> to extract some information from a set of IIS log files. Basically, I am working on a IPV6 vs IPV4 report. Yesterday, I did some tests at home, and everything worked fine. However, today at customer site, I have detected an strange behavior on splunk>

I have attached a picture so you can easily see what I am talking about:

alt text

Here it is the picture if does not fit on your browser:

http://i55.tinypic.com/mhx5i.png

Apparently, splunk> tries to shrink the IPV6 address, but it uses :: even though the real address is not filled with zeros. And therefore, my regExp does not work fine, because it is for fully fledged IPV6 addresses. Anyway, I could work in other regExp but the main point is that I am afraid splunk> is not indexing the information properly, shrinking IPV6 addresses when is not allowed.

Thanks in advance

Splunk Employee
Splunk Employee

I don't think that Splunk is mangling your field value but rather that the "c_ip" field is not extracted from the location you expect in the event :

alt text

It looks like some app that you have installed is performing the extraction of the "c_ip" field by default. I would recommend that you check the other fields extracted, as one of them might contain the value you care about but under a field name other than "c_ip".

Finally, if the value you care for is not being extracted at all, I recommend that you create your own field extraction following these instructions from our online documentation :

http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime

...and using one of these fine regular expressions tailored for IPv6 addresses :

http://splunk-base.splunk.com/answers/8435/ipv6-addresses-parsed-properly

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!