Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

getting duplicate source in events

jalfrey
Communicator
‎06-24-2013 02:29 PM

Splun is unable to identify the souce IP of the firewall from this log.
Jun 24 14:17:42 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 14:17:42" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3636758 usr="admin" src=10.103.62.80:29341:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742

The correct source IP should be 10.0.59.59 which you can see in "fw=10.0.59.59". You can also see it just after the date/time stamp at the beginning of the line. So the data is duplicated. This is because Splunk can't find the value in the log line so it adds one automatically.

I got some help but was unable to make it work. Here is my props.conf file

[sonicwall]
# in addition to other things add
TRANSFORMS-host = host_for_sonicwall

here is my transforms.conf file

[host_for_sonicwall]
DEST_KEY = MetaData:Host
REGEX = fw=[0-9.]
FORMAT = host::$1

When I look at the search area of splunk the host is showing up as "host=$1". It looks like it is not doing the substitution from the "FORMAT = host::$1" line.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

asimagu
Builder
‎06-24-2013 05:38 PM

the regex that you are using is wrong. it should be

REGEX = fw=[0-9.]+

Escaping the equal sign is optional but the plus sign is essential in order to grab the whole ip address

View solution in original post

Reply
Solved! Jump to solution
Solution

asimagu
Builder
‎06-24-2013 05:38 PM

the regex that you are using is wrong. it should be

REGEX = fw=[0-9.]+

Escaping the equal sign is optional but the plus sign is essential in order to grab the whole ip address

Reply
Solved! Jump to solution

asimagu
Builder
‎06-24-2013 07:21 PM

this is very usefull to validate and create regular expressions http://gskinner.com/RegExr/

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎06-24-2013 07:19 PM

This works perfectly. Thanks.

I have no idea how you wizards make this regex work. I'm sure I'll pick it up some day. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...