Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how do I manipulate string data in tstats results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources.
One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:"
That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:"
I have tried
|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>" Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src
for which I end up with an empty field called src
and (longshot)
|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by ltrim(Authentication.src,"::ffff:")
which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)'
if it matters, here is the larger query
sourcetype=DhcpSrvLog "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search] | table time dest dest_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>" Authentication.action="failure" by Authentication.src | eval src=replace('Authentication.src',"::ffff:","") | fields src
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>" Authentication.action="failure" by Authentication.src | eval src=replace('Authentication.src',"::ffff:","") | fields src
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. that does it! I guess that I need the field name in single quotes. Did not realize that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, for field names which contains special characters like colon, dot, space etc (underscore is fine).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
