Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPLUNK Search derived from Stream app produces strange result...

heskez
Engager
‎09-26-2018 01:47 AM

Hi there, when I run this search: 

index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3) | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"

It produces this result:
alt text

As you'll notice the other half of source and destination ipaddresses are missing.

Is this: ????

  • Because the flow data doesn't arrive properly in SPLUNK
  • The stream app needs more configuring
  • Search syntax is wrong

I'd highly appreciate an answer on this.
Thanks in advance!

Erik

Preview file
51 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nryabykh
Path Finder
‎09-26-2018 03:13 AM

Hi!

In these commands:
| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)

you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with:
| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4

By the way, are you sure you need such conversion? I'm guessing, src_ip and dest_ip contains the whole and correct IP addresses, and you can use them instead of source_ip and destination_ip.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎10-17-2018 03:39 PM

Anyone?
WIth advice?

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎10-17-2018 03:36 AM

I've now this search:

index=* source="stream:*" source="stream:fortistream"
|table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)

But how do I make sure the values of scr_ip and dest_ip belong together within the same data flow?

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎09-26-2018 02:53 PM

Basically this will work for me: 

index=* source="stream:*" source="stream:fortistream" 
|table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)

So what do I need this crazy search that comes with the stream app datamodel for then?
Why did they set it up like this?

0 Karma
Reply
Solved! Jump to solution
Solution

nryabykh
Path Finder
‎09-26-2018 03:13 AM

Hi!

In these commands:
| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)

you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with:
| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4

By the way, are you sure you need such conversion? I'm guessing, src_ip and dest_ip contains the whole and correct IP addresses, and you can use them instead of source_ip and destination_ip.

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎09-26-2018 03:52 AM

Thanks! When I convert the syntax like this: 

index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | | eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4 | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"

It produces an error message: Error in 'SearchParser': Missing a search command before '|'. Error at position '235' of search query 'search index=* source=stream:Splunk_IP | rex field...{snipped} {errorcontext = OT null | | eval sour}'.

You'd say you don't need the source_ip, however it's part of the data model. If I try search on src_ip I don't get any data.. Or.. I'm doing wrong search, what would be the search syntax then?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎09-26-2018 02:31 AM

This is happening because you are using round function. can you try to remove it?

0 Karma
Reply
Solved! Jump to solution

heskez
Engager
‎09-26-2018 03:47 AM

Thanks, I wonder why they even use the round function on an ipaddress!? 🙂
Anyway, if I remove it I mess up the syntax completely..

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...