- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- getting duplicate source in events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splun is unable to identify the souce IP of the firewall from this log.
Jun 24 14:17:42 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 14:17:42" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3636758 usr="admin" src=10.103.62.80:29341:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742
The correct source IP should be 10.0.59.59 which you can see in "fw=10.0.59.59". You can also see it just after the date/time stamp at the beginning of the line. So the data is duplicated. This is because Splunk can't find the value in the log line so it adds one automatically.
I got some help but was unable to make it work. Here is my props.conf file
[sonicwall]
# in addition to other things add
TRANSFORMS-host = host_for_sonicwall
here is my transforms.conf file
[host_for_sonicwall]
DEST_KEY = MetaData:Host
REGEX = fw=[0-9.]
FORMAT = host::$1
When I look at the search area of splunk the host is showing up as "host=$1". It looks like it is not doing the substitution from the "FORMAT = host::$1" line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the regex that you are using is wrong. it should be
REGEX = fw=[0-9.]+
Escaping the equal sign is optional but the plus sign is essential in order to grab the whole ip address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the regex that you are using is wrong. it should be
REGEX = fw=[0-9.]+
Escaping the equal sign is optional but the plus sign is essential in order to grab the whole ip address
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very usefull to validate and create regular expressions http://gskinner.com/RegExr/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works perfectly. Thanks.
I have no idea how you wizards make this regex work. I'm sure I'll pick it up some day. 🙂
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
