- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- dealing with duplicate variables after tranaction ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dealing with duplicate variables after tranaction command
I am working with IPFix data from a firewall. The first template returns the flow information. That is stuff like Source IP, Destination IP, Flow ID. The second template returns URL related data. Using the trasaction command I can correlate the events based on the Flow ID. In both templates are the dest_mac. The trouble is one of the templates always returns the MAC of 00:00:00:00:00:00 which is bad data. I would like to filter that data out any way possible.
How do I filter it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to filter it out before it is even indexed, you could use the anonymization techniques discussed in the docs (see below) to remove the faulty MAC before it even reaches the index;
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles
If you want to replace it during search, i.e. after the transaction, you can use the following (assuming the multivalued field is called MAC;
... | transaction FlowID | eval MAC=mvfilter(MAC != 00:00:00:00:00:00) |
or, if they always come in the same order (in this case the good MAC always come before the bad)
... | transaction FlowID | eval MAC=mvindex(MAC,0)
if the bad always come before the good, use mvindex(MAC,1)
See more here;
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, well. These operations will not change the event that is presented on screen (which is stored in the _raw field). However, they will change the extracted field values, so what happens if you run the following;
index=sonicwall TemplateID=257 OR TemplateID=262 | transaction session_id startswith=TemplateID=257 | head 2 |eval dest_mac=mvfilter(dest_mac !="00:00:00:00:00:00") | table session_id dest_mac
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search:
index=sonicwall TemplateID=257 OR TemplateID=262 | transaction session_id startswith=TemplateID=257 | eval dest_mac=mvfilter(dest_mac !="00:00:00:00:00:00")
returns:
TemplateID=257 session_id=2149159280 src_mac=00:50:56:a1:75:51 dest_mac=00:00:00:00:00:00 src_ip=192.168.1.1 dest_ip=192.168.1.254 initiator_GW-IP_Addr=0.0.0.0 responder_GW-IP_Addr=0.0.0.0 src_int=19 src_port=63843 dest_port=443 init_to_resp_pkts=8 init_to_resp_octets=3260 init_to_resp_delta_pkts=8 init_to_resp_delta_octets=3260 start_time=2014-01-28 09:29:12 end_time=1969-12-31 16:00:00 tcp_flag=1 protocol=6 app_id=49178
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
