Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

getting duplicate source in events

jalfrey
Communicator
‎06-24-2013 02:29 PM

Splun is unable to identify the souce IP of the firewall from this log.
Jun 24 14:17:42 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 14:17:42" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3636758 usr="admin" src=10.103.62.80:29341:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742

The correct source IP should be 10.0.59.59 which you can see in "fw=10.0.59.59". You can also see it just after the date/time stamp at the beginning of the line. So the data is duplicated. This is because Splunk can't find the value in the log line so it adds one automatically.

I got some help but was unable to make it work. Here is my props.conf file

[sonicwall]
# in addition to other things add
TRANSFORMS-host = host_for_sonicwall

here is my transforms.conf file

[host_for_sonicwall]
DEST_KEY = MetaData:Host
REGEX = fw=[0-9.]
FORMAT = host::$1

When I look at the search area of splunk the host is showing up as "host=$1". It looks like it is not doing the substitution from the "FORMAT = host::$1" line.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asimagu
Builder
‎06-24-2013 05:38 PM

the regex that you are using is wrong. it should be

REGEX = fw=[0-9.]+

Escaping the equal sign is optional but the plus sign is essential in order to grab the whole ip address

View solution in original post

Reply
Solved! Jump to solution
Solution

asimagu
Builder
‎06-24-2013 05:38 PM

the regex that you are using is wrong. it should be

REGEX = fw=[0-9.]+

Escaping the equal sign is optional but the plus sign is essential in order to grab the whole ip address

Reply
Solved! Jump to solution

asimagu
Builder
‎06-24-2013 07:21 PM

this is very usefull to validate and create regular expressions http://gskinner.com/RegExr/

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎06-24-2013 07:19 PM

This works perfectly. Thanks.

I have no idea how you wizards make this regex work. I'm sure I'll pick it up some day. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...