- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- data format...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking at importing TCPDUMP data into Splunk purely for the graph functions and for the TOP functions available in searches.
So the TCPDUMP sample looks like:
2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)
2012-09-10 18:23:48.079345 IP 123.46.12.230.domain > 220.181.125.132.domain: 30501- 0/6/3 (619)
2012-09-10 18:23:48.079355 IP 192.52.178.30.domain > 193.11.113.3.56453: 33190- 0/6/3 (598)
2012-09-10 18:23:48.079361 IP 201.31.164.50.domain > 201.10.132.5.56571: 20625- 0/2/2 (107)
2012-09-10 18:23:48.079366 IP 192.42.93.30.domain > 64.105.97.90.47718: 25511- 0/6/4 (634)
Here's my question:
I want to run top reports on the source and destination IP's listed above. What's the best way to strip off the extensions at the end of the address (.domain and :33190)?
Is this good utilization of Splunk for my data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;
timestamp src_ip.src_port dest_ip.dest_port
2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)
If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.
Something like this should do, I think.
... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"
I think that IFX will have no trouble doing it for you either..
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;
timestamp src_ip.src_port dest_ip.dest_port
2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)
If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.
Something like this should do, I think.
... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"
I think that IFX will have no trouble doing it for you either..
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I tried it, and it worked. From one of the events, click the little blue 'down' arrow next to the timestamp, select 'Extract Fields'. In the box type:
123.85.61.82,domain,216.152.173.2,51486
and click 'generate'. I didn't to through with saving the extractions, but the IFX correctly found all the IPs and ports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IFX does not recognize this field. Is that normal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was about to answer, but seeing as you've been on splunkbase for quite a while, it would be beneficial to know first what the issue is here. Do you want to know how to perform field extractions?
Enterprise Security Content Update (ESCU) | New Releases
Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...
Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...
