Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to put a conditional statement in a field extraction?

brent_weaver
Builder
‎11-01-2016 11:50 AM

I have files I am ingesting that have variable formats. I want to pick those lines out that only have an IP address as the third value and extract that as srcIP. Is this possible to essentially put a conditional statement in so I don't get all the garbage from the "other" data in the logs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-01-2016 12:45 PM

if the IP you are looking for is before %ASA then try this which will save that in srcIP field:

yourBasequery
| rex "(?<srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s%ASA"
| user srcIP here

check the extraction here

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-01-2016 12:45 PM

if the IP you are looking for is before %ASA then try this which will save that in srcIP field:

yourBasequery
| rex "(?<srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s%ASA"
| user srcIP here

check the extraction here

0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎11-01-2016 01:41 PM

I was able to solve this by using field extractor in the webui. It gave me the ability to say a string is "required" which would filter for %ASA. I was then able to utilize it to build my regular expression and it worked very nicely

0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎11-01-2016 12:35 PM

We may see this:

Oct 31 13:48:30 10.251.44.137 %ASA-4-106023: Deny tcp src clc:10.40.2.13/59318 dst outside:46.6.11.38/3389 by access-group "clc_in" [0x0, 0x0]

Or 

Oct 31 13:48:30 10.251.44.137 %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 5176

I guess one could say I want only the lines that have %ASA in them. How do I do that?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-01-2016 12:44 PM

I don't understand. both of these events have %ASA in them. Also, is your intention to drop the events you don't want completely (not indexed) or keep the events but not extract the src_ip field?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-01-2016 12:44 PM

Which ip address value you want to pick? could you highlight?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-01-2016 12:28 PM

It should be possible. Can you post some example events?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...