Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex for arpwatch extractions

ehoward
Path Finder
‎04-03-2014 12:56 PM

Does anyone have any field extraction regexes for arpwatch they could share? I could probably figure it out eventually but regexes are not my idea of fun.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-03-2014 10:49 PM

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

View solution in original post

Reply
Solved! Jump to solution

sbrant_splunk
Splunk Employee
Splunk Employee
‎04-03-2014 10:50 PM

given that your record looks like this:

Apr  3 23:33:25 splunkiron arpwatch: new station 192.168.1.229 80:ea:96:b8:3:e3

You should be able to use this regex:

^(?:[^\s]+\s+){3}(?<host>[^\s]+)\s+(?<process>[^:]+):\s+(?<message>[^\d]+)(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac>.*)

If you provide some log samples and the fields you'd like extracted, I can be more precise.

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-03-2014 10:49 PM

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-04-2014 06:43 AM

You're welcome. Please tick the tick in this case to mark this as answered - thx

0 Karma
Reply
Solved! Jump to solution

ehoward
Path Finder
‎04-04-2014 06:39 AM

Thank you all for you answers. I really appreciate all the help. I have fought my way through regexes before but if you don't do it every day it can be frustrating to pick it all up again. The samples you have provided me are a great start. Once I get all my fields properly defined I will post what I have.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎04-03-2014 12:58 PM

You could of your data and what you want to extract.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...