Map a field to a value within the log file

neltonk · ‎02-07-2018

I am working with clock sync log files. The top 3 lines have the ip address -> MAC address mapping... The rest of the lines have the offset and sync-delay details of each host with the MAC address. (format shown below). Is it possible to extract the ip address from the first three lines and map it to each log entry in my offset report.

{ "node": {"port-id": "000f:53ff:fe59:f640.1", "domain": 3, "address": "10.0.0.1" } }
{ "node": {"port-id": "000f:53ff:fe59:f720.1", "domain": 1, "address": "10.0.0.2" } }
{ "node": {"port-id": "000f:53ff:fe59:f620.2", "domain": 0, "address": "10.0.0.3" } }
{ "rx-event": {"monitor-seq-id": 0, "monitor-timestamp": "2018-01-02 03:24:08.454728", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18218, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863478.454504073 } }
{ "rx-event": {"monitor-seq-id": 1, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18219, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863479.454501525 } }
{ "rx-event": {"monitor-seq-id": 2, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18220, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863480.454500265 } }
{ "rx-event": {"monitor-seq-id": 3, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18221, "offset-from-master": -13.000000, "mean-path-delay": 1773.000000, "sync-ingress-timestamp": 1514863481.454496428 } }
{ "rx-event": {"monitor-seq-id": 4, "monitor-timestamp": "2018-01-02 03:24:08.454731", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18222, "offset-from-master": 20.000000, "mean-path-delay": 1781.000000, "sync-ingress-timestamp": 1514863482.454495132 } }
{ "rx-event": {"monitor-seq-id": 5, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18223, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863483.454491258 } }
{ "rx-event": {"monitor-seq-id": 6, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18224, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863484.454488702 } }
{ "rx-event": {"monitor-seq-id": 7, "monitor-timestamp": "2018-01-02 03:24:08.454733", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18225, "offset-from-master": 15.500000, "mean-path-delay": 1767.500000, "sync-ingress-timestamp": 1514863485.454487436 } }
{ "rx-event": {"monitor-seq-id": 8, "monitor-timestamp": "2018-01-02 03:24:08.788909", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47448, "offset-from-master": 26.500000, "mean-path-delay": 1894.500000, "sync-ingress-timestamp": 1514863478.788863443 } }
{ "rx-event": {"monitor-seq-id": 9, "monitor-timestamp": "2018-01-02 03:24:08.788910", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47449, "offset-from-master": 9.000000, "mean-path-delay": 1897.000000, "sync-ingress-timestamp": 1514863479.788860880 } }
{ "rx-event": {"monitor-seq-id": 10, "monitor-timestamp": "2018-01-02 03:24:08.788911", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47450, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863480.788858317 } }
{ "rx-event": {"monitor-seq-id": 11, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47451, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863481.788857043 } }
{ "rx-event": {"monitor-seq-id": 12, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47452, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863482.788853191 } }
{ "rx-event": {"monitor-seq-id": 13, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47453, "offset-from-master": -1.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863483.788851917 } }
{ "rx-event": {"monitor-seq-id": 14, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47454, "offset-from-master": -3.500000, "mean-path-delay": 1893.500000, "sync-ingress-timestamp": 1514863484.788848072 } }

I am new to Splunk and regex... please help.

DalJeanis · ‎02-07-2018

This line here should extract the data you need...

| rex "\"port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*?\"address\":\s+ \"(?<address>\d+\.\d+\.\d+\.\d+)/""

Here's an example of one way you could proceed:

| makeresults
| eval mydata="{ \"node\": {\"port-id\": \"000f:53ff:fe59:f640.1\", \"domain\": 3, \"address\": \"10.0.0.1\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f720.1\", \"domain\": 1, \"address\": \"10.0.0.2\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f620.2\", \"domain\": 0, \"address\": \"10.0.0.3\" } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 0, \"monitor-timestamp\": \"2018-01-02 03:24:08.454728\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18218, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863478.454504073 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 1, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18219, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863479.454501525 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 2, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18220, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863480.454500265 } }"
| makemv delim="!!!!!" mydata 
| mvexpand mydata
| rename COMMENT as "The above just creates test data."

| rename COMMENT as "This pulls the node and addess off the MAC address mapping records" 
| rex field=mydata "port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*\"address\":\s+?\"(?<address>\d+\.\d+\.\d+\.\d+)\""

| eval killme=case(isnotnull(address),"killme")

| rename COMMENT as "This pulls the node off the log entries - you need to do whatever else here that you want for the report"
| rex field=mydata "node\":\s+\"(?<node>[0-9a-fA-F:.]{21})\""

| rename COMMENT as "Now we roll the address from the MAC to the log records"
| eventstats max(address) as address by node

| rename COMMENT as "and kill the unneeded MAC records"
| where isnull(killme)

| rename COMMENT as "Or you can wait until this point and NOW do whatever else here that you want for the report"

Map a field to a value within the log file

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)