Splunk Search
Highlighted

how do I manipulate string data in tstats results?

Builder

I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources.

One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:"
That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:"

I have tried

|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>"  Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src

for which I end up with an empty field called src

and (longshot)

|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName"  Authentication.action="failure" by ltrim(Authentication.src,"::ffff:")

which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)'

if it matters, here is the larger query

sourcetype=DhcpSrvLog  "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search]  | table time dest dest_ip
0 Karma
Highlighted

Re: how do I manipulate string data in tstats results?

SplunkTrust
SplunkTrust

Try this

|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>"  Authentication.action="failure" by Authentication.src | eval src=replace('Authentication.src',"::ffff:","") | fields src

View solution in original post

Highlighted

Re: how do I manipulate string data in tstats results?

Builder

Perfect. that does it! I guess that I need the field name in single quotes. Did not realize that.

0 Karma
Highlighted

Re: how do I manipulate string data in tstats results?

SplunkTrust
SplunkTrust

Yes, for field names which contains special characters like colon, dot, space etc (underscore is fine).

0 Karma