Solved: Re: data format...

DTERM · ‎09-11-2012

I'm looking at importing TCPDUMP data into Splunk purely for the graph functions and for the TOP functions available in searches.

So the TCPDUMP sample looks like:

2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)

2012-09-10 18:23:48.079345 IP 123.46.12.230.domain > 220.181.125.132.domain: 30501- 0/6/3 (619)

2012-09-10 18:23:48.079355 IP 192.52.178.30.domain > 193.11.113.3.56453: 33190- 0/6/3 (598)

2012-09-10 18:23:48.079361 IP 201.31.164.50.domain > 201.10.132.5.56571: 20625- 0/2/2 (107)

2012-09-10 18:23:48.079366 IP 192.42.93.30.domain > 64.105.97.90.47718: 25511- 0/6/4 (634)

Here's my question:

I want to run top reports on the source and destination IP's listed above. What's the best way to strip off the extensions at the end of the address (.domain and :33190)?

Is this good utilization of Splunk for my data?

kristian_kolb · ‎09-12-2012

As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;

timestamp src_ip.src_port dest_ip.dest_port

2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)

If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.

Something like this should do, I think.

... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"

I think that IFX will have no trouble doing it for you either..

/Kristian

View solution in original post

kristian_kolb · ‎09-12-2012

As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;

timestamp src_ip.src_port dest_ip.dest_port

2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)

If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.

Something like this should do, I think.

... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"

I think that IFX will have no trouble doing it for you either..

/Kristian

kristian_kolb · ‎09-12-2012

Well, I tried it, and it worked. From one of the events, click the little blue 'down' arrow next to the timestamp, select 'Extract Fields'. In the box type:

123.85.61.82,domain,216.152.173.2,51486

and click 'generate'. I didn't to through with saving the extractions, but the IFX correctly found all the IPs and ports.

DTERM · ‎09-12-2012

The IFX does not recognize this field. Is that normal?

Ayn · ‎09-11-2012

I was about to answer, but seeing as you've been on splunkbase for quite a while, it would be beneficial to know first what the issue is here. Do you want to know how to perform field extractions?

data format...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...