Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data format...

DTERM
Contributor
‎09-11-2012 07:08 PM

I'm looking at importing TCPDUMP data into Splunk purely for the graph functions and for the TOP functions available in searches.

So the TCPDUMP sample looks like:

2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)

2012-09-10 18:23:48.079345 IP 123.46.12.230.domain > 220.181.125.132.domain: 30501- 0/6/3 (619)

2012-09-10 18:23:48.079355 IP 192.52.178.30.domain > 193.11.113.3.56453: 33190- 0/6/3 (598)

2012-09-10 18:23:48.079361 IP 201.31.164.50.domain > 201.10.132.5.56571: 20625- 0/2/2 (107)

2012-09-10 18:23:48.079366 IP 192.42.93.30.domain > 64.105.97.90.47718: 25511- 0/6/4 (634)

Here's my question:

I want to run top reports on the source and destination IP's listed above. What's the best way to strip off the extensions at the end of the address (.domain and :33190)?

Is this good utilization of Splunk for my data?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-12-2012 02:53 AM

As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;

timestamp src_ip.src_port dest_ip.dest_port

2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)

If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.

Something like this should do, I think.

... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"

I think that IFX will have no trouble doing it for you either..

/Kristian

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-12-2012 02:53 AM

As Ayn says; is there a particular problem other than just extracting the fields? From the look of your sample events, the format is;

timestamp src_ip.src_port dest_ip.dest_port

2012-09-10 18:23:48.079340 IP 123.85.61.82.domain > 216.152.173.2.51486: 36174- 0/6/3 (613)

If the format will always stay like this, i.e. not change direction (ip.port < ip.port), you can easily try out extractions with rex before making the props.conf changes.

Something like this should do, I think.

... | rex "\s+IP\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\.(?<src_port>\S+)\s+>\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\.(?<dest_port>[a-z0-9]+):\s+"

I think that IFX will have no trouble doing it for you either..

/Kristian

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-12-2012 11:26 PM

Well, I tried it, and it worked. From one of the events, click the little blue 'down' arrow next to the timestamp, select 'Extract Fields'. In the box type:

123.85.61.82,domain,216.152.173.2,51486

and click 'generate'. I didn't to through with saving the extractions, but the IFX correctly found all the IPs and ports.

0 Karma
Reply
Solved! Jump to solution

DTERM
Contributor
‎09-12-2012 04:11 PM

The IFX does not recognize this field. Is that normal?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-11-2012 10:04 PM

I was about to answer, but seeing as you've been on splunkbase for quite a while, it would be beneficial to know first what the issue is here. Do you want to know how to perform field extractions?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...