Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to put a conditional statement in a field extraction?

brent_weaver
Builder
‎11-01-2016 11:50 AM

I have files I am ingesting that have variable formats. I want to pick those lines out that only have an IP address as the third value and extract that as srcIP. Is this possible to essentially put a conditional statement in so I don't get all the garbage from the "other" data in the logs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-01-2016 12:45 PM

if the IP you are looking for is before %ASA then try this which will save that in srcIP field:

yourBasequery
| rex "(?<srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s%ASA"
| user srcIP here

check the extraction here

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-01-2016 12:45 PM

if the IP you are looking for is before %ASA then try this which will save that in srcIP field:

yourBasequery
| rex "(?<srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s%ASA"
| user srcIP here

check the extraction here

0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎11-01-2016 01:41 PM

I was able to solve this by using field extractor in the webui. It gave me the ability to say a string is "required" which would filter for %ASA. I was then able to utilize it to build my regular expression and it worked very nicely

0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎11-01-2016 12:35 PM

We may see this:

Oct 31 13:48:30 10.251.44.137 %ASA-4-106023: Deny tcp src clc:10.40.2.13/59318 dst outside:46.6.11.38/3389 by access-group "clc_in" [0x0, 0x0]

Or 

Oct 31 13:48:30 10.251.44.137 %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 5176

I guess one could say I want only the lines that have %ASA in them. How do I do that?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-01-2016 12:44 PM

I don't understand. both of these events have %ASA in them. Also, is your intention to drop the events you don't want completely (not indexed) or keep the events but not extract the src_ip field?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-01-2016 12:44 PM

Which ip address value you want to pick? could you highlight?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-01-2016 12:28 PM

It should be possible. Can you post some example events?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...