- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- data format...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking at importing TCPDUMP data into Splunk purely for the graph functions and for the TOP functions available in searches.
So the TCPDUMP sample looks like:
2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)
2012-09-10 18:23:48.079345 IP 123.46.12.230.domain > 220.181.125.132.domain: 30501- 0/6/3 (619)
2012-09-10 18:23:48.079355 IP 192.52.178.30.domain > 193.11.113.3.56453: 33190- 0/6/3 (598)
2012-09-10 18:23:48.079361 IP 201.31.164.50.domain > 201.10.132.5.56571: 20625- 0/2/2 (107)
2012-09-10 18:23:48.079366 IP 192.42.93.30.domain > 64.105.97.90.47718: 25511- 0/6/4 (634)
Here's my question:
I want to run top reports on the source and destination IP's listed above. What's the best way to strip off the extensions at the end of the address (.domain and :33190)?
Is this good utilization of Splunk for my data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;
timestamp src_ip.src_port dest_ip.dest_port
2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)
If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.
Something like this should do, I think.
... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"
I think that IFX will have no trouble doing it for you either..
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;
timestamp src_ip.src_port dest_ip.dest_port
2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)
If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.
Something like this should do, I think.
... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"
I think that IFX will have no trouble doing it for you either..
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I tried it, and it worked. From one of the events, click the little blue 'down' arrow next to the timestamp, select 'Extract Fields'. In the box type:
123.85.61.82,domain,216.152.173.2,51486
and click 'generate'. I didn't to through with saving the extractions, but the IFX correctly found all the IPs and ports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IFX does not recognize this field. Is that normal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was about to answer, but seeing as you've been on splunkbase for quite a while, it would be beneficial to know first what the issue is here. Do you want to know how to perform field extractions?
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
