Splunk Search

mvexpand not working for IP6 field

Motivator

I have the Cisco ISE app loaded and there is a field, Framed_IPv6_Address that may contain up to six IPv6 addresses. Raw event snippet looks like this:

Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, etc

When I try mvexpand index=cisco sourcetype="cisco:ise:syslog" | mvexpand Framed_IPv6_Address I am getting some, but not all of the IPv6 addresses returned as values.

Any ideas on how I can get all IPv6 values listed?

Thx

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@jwalzerpitt

If your raw event has multiple keys with the same name like Framed-IPv6-Address then Splunk auto extraction will extract that key with the first value. You have a similar case. So I suggest you extract manually using rex command.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Can you please try below search:

YOUR_SEARCH | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

You will get all the IPV_6 in Framed_IPv6_Address field.

Try my sample search for more.

| makeresults | eval _raw="Framed-IPv6-Address=FE80:0000:0000:0000:0202:B3FF:FE1E:8329, Framed-IPv6-Address=1200:0000:AB00:1234:0000:2552:7777:1313, Framed-IPv6-Address=21DA:D3:0:2F3B:2AA:FF:FE28:9C5A  " | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

UPDATED:

Can you please try this?

| makeresults 
| eval _raw="Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers," 
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address

Thanks

View solution in original post

SplunkTrust
SplunkTrust

@jwalzerpitt

If your raw event has multiple keys with the same name like Framed-IPv6-Address then Splunk auto extraction will extract that key with the first value. You have a similar case. So I suggest you extract manually using rex command.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Can you please try below search:

YOUR_SEARCH | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

You will get all the IPV_6 in Framed_IPv6_Address field.

Try my sample search for more.

| makeresults | eval _raw="Framed-IPv6-Address=FE80:0000:0000:0000:0202:B3FF:FE1E:8329, Framed-IPv6-Address=1200:0000:AB00:1234:0000:2552:7777:1313, Framed-IPv6-Address=21DA:D3:0:2F3B:2AA:FF:FE28:9C5A  " | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

UPDATED:

Can you please try this?

| makeresults 
| eval _raw="Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers," 
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address

Thanks

View solution in original post

Motivator

Kamelsh,

Please see reply to jnudell_2 as the suggested regex you provided (thx for that) is not pulling all six IPv6 addresses from the event

Thx

0 Karma

SplunkTrust
SplunkTrust

@jwalzerpitt

I have updated my answer. Can you please try that?

Motivator

That worked

I modified my search to:

base search
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 
| mvexpand Framed_IPv6_Address 
| table Framed_IPv6_Address

and all six IPv6 addresses were returned as values

How do you recommend that I convert this to an automatic search time extraction?

0 Karma

Builder

Can you provide a sanitized example of your data results?

0 Karma

Motivator

Sanitized event is as follows:

Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers, 

There are six IPv6 addresses that I should have values for the Framed-IPv6-Address field, but only the first one is returned.

I tried running the regex kamlesh suggested - | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0 and I still only get one IPv6 address value returned

Thx

0 Karma