Splunk Search

mvexpand not working for IP6 field

jwalzerpitt
Motivator

I have the Cisco ISE app loaded and there is a field, Framed_IPv6_Address that may contain up to six IPv6 addresses. Raw event snippet looks like this:

Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, etc

When I try mvexpand index=cisco sourcetype="cisco:ise:syslog" | mvexpand Framed_IPv6_Address I am getting some, but not all of the IPv6 addresses returned as values.

Any ideas on how I can get all IPv6 values listed?

Thx

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jwalzerpitt

If your raw event has multiple keys with the same name like Framed-IPv6-Address then Splunk auto extraction will extract that key with the first value. You have a similar case. So I suggest you extract manually using rex command.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Can you please try below search:

YOUR_SEARCH | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

You will get all the IPV_6 in Framed_IPv6_Address field.

Try my sample search for more.

| makeresults | eval _raw="Framed-IPv6-Address=FE80:0000:0000:0000:0202:B3FF:FE1E:8329, Framed-IPv6-Address=1200:0000:AB00:1234:0000:2552:7777:1313, Framed-IPv6-Address=21DA:D3:0:2F3B:2AA:FF:FE28:9C5A  " | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

UPDATED:

Can you please try this?

| makeresults 
| eval _raw="Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers," 
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jwalzerpitt

If your raw event has multiple keys with the same name like Framed-IPv6-Address then Splunk auto extraction will extract that key with the first value. You have a similar case. So I suggest you extract manually using rex command.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Can you please try below search:

YOUR_SEARCH | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

You will get all the IPV_6 in Framed_IPv6_Address field.

Try my sample search for more.

| makeresults | eval _raw="Framed-IPv6-Address=FE80:0000:0000:0000:0202:B3FF:FE1E:8329, Framed-IPv6-Address=1200:0000:AB00:1234:0000:2552:7777:1313, Framed-IPv6-Address=21DA:D3:0:2F3B:2AA:FF:FE28:9C5A  " | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

UPDATED:

Can you please try this?

| makeresults 
| eval _raw="Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers," 
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address

Thanks

jwalzerpitt
Motivator

Kamelsh,

Please see reply to jnudell_2 as the suggested regex you provided (thx for that) is not pulling all six IPv6 addresses from the event

Thx

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jwalzerpitt

I have updated my answer. Can you please try that?

jwalzerpitt
Motivator

That worked

I modified my search to:

base search
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 
| mvexpand Framed_IPv6_Address 
| table Framed_IPv6_Address

and all six IPv6 addresses were returned as values

How do you recommend that I convert this to an automatic search time extraction?

0 Karma

jnudell_2
Builder

Can you provide a sanitized example of your data results?

0 Karma

jwalzerpitt
Motivator

Sanitized event is as follows:

Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers, 

There are six IPv6 addresses that I should have values for the Framed-IPv6-Address field, but only the first one is returned.

I tried running the regex kamlesh suggested - | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0 and I still only get one IPv6 address value returned

Thx

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...