Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPLUNK Search derived from Stream app produces strange result...

heskez
Engager
‎09-26-2018 01:47 AM

Hi there, when I run this search: 

index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3) | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"

It produces this result:
alt text

As you'll notice the other half of source and destination ipaddresses are missing.

Is this: ????

  • Because the flow data doesn't arrive properly in SPLUNK
  • The stream app needs more configuring
  • Search syntax is wrong

I'd highly appreciate an answer on this.
Thanks in advance!

Erik

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nryabykh
Path Finder
‎09-26-2018 03:13 AM

Hi!

In these commands:
| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)

you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with:
| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4

By the way, are you sure you need such conversion? I'm guessing, src_ip and dest_ip contains the whole and correct IP addresses, and you can use them instead of source_ip and destination_ip.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎10-17-2018 03:39 PM

Anyone?
WIth advice?

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎10-17-2018 03:36 AM

I've now this search:

index=* source="stream:*" source="stream:fortistream"
|table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)

But how do I make sure the values of scr_ip and dest_ip belong together within the same data flow?

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎09-26-2018 02:53 PM

Basically this will work for me: 

index=* source="stream:*" source="stream:fortistream" 
|table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)

So what do I need this crazy search that comes with the stream app datamodel for then?
Why did they set it up like this?

0 Karma
Reply
Solved! Jump to solution
Solution

nryabykh
Path Finder
‎09-26-2018 03:13 AM

Hi!

In these commands:
| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)

you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with:
| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4

By the way, are you sure you need such conversion? I'm guessing, src_ip and dest_ip contains the whole and correct IP addresses, and you can use them instead of source_ip and destination_ip.

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎09-26-2018 03:52 AM

Thanks! When I convert the syntax like this: 

index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | | eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4 | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"

It produces an error message: Error in 'SearchParser': Missing a search command before '|'. Error at position '235' of search query 'search index=* source=stream:Splunk_IP | rex field...{snipped} {errorcontext = OT null | | eval sour}'.

You'd say you don't need the source_ip, however it's part of the data model. If I try search on src_ip I don't get any data.. Or.. I'm doing wrong search, what would be the search syntax then?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎09-26-2018 02:31 AM

This is happening because you are using round function. can you try to remove it?

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎09-26-2018 03:47 AM

Thanks, I wonder why they even use the round function on an ipaddress!? 🙂
Anyway, if I remove it I mess up the syntax completely..

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...