Splunk Search

mvexpand not working for IP6 field

jwalzerpitt
Influencer

I have the Cisco ISE app loaded and there is a field, Framed_IPv6_Address that may contain up to six IPv6 addresses. Raw event snippet looks like this:

Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, Framed-IPv6-Address=<IPv6 value>, etc

When I try mvexpand index=cisco sourcetype="cisco:ise:syslog" | mvexpand Framed_IPv6_Address I am getting some, but not all of the IPv6 addresses returned as values.

Any ideas on how I can get all IPv6 values listed?

Thx

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jwalzerpitt

If your raw event has multiple keys with the same name like Framed-IPv6-Address then Splunk auto extraction will extract that key with the first value. You have a similar case. So I suggest you extract manually using rex command.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Can you please try below search:

YOUR_SEARCH | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

You will get all the IPV_6 in Framed_IPv6_Address field.

Try my sample search for more.

| makeresults | eval _raw="Framed-IPv6-Address=FE80:0000:0000:0000:0202:B3FF:FE1E:8329, Framed-IPv6-Address=1200:0000:AB00:1234:0000:2552:7777:1313, Framed-IPv6-Address=21DA:D3:0:2F3B:2AA:FF:FE28:9C5A  " | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

UPDATED:

Can you please try this?

| makeresults 
| eval _raw="Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers," 
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jwalzerpitt

If your raw event has multiple keys with the same name like Framed-IPv6-Address then Splunk auto extraction will extract that key with the first value. You have a similar case. So I suggest you extract manually using rex command.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Can you please try below search:

YOUR_SEARCH | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

You will get all the IPV_6 in Framed_IPv6_Address field.

Try my sample search for more.

| makeresults | eval _raw="Framed-IPv6-Address=FE80:0000:0000:0000:0202:B3FF:FE1E:8329, Framed-IPv6-Address=1200:0000:AB00:1234:0000:2552:7777:1313, Framed-IPv6-Address=21DA:D3:0:2F3B:2AA:FF:FE28:9C5A  " | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0

UPDATED:

Can you please try this?

| makeresults 
| eval _raw="Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers," 
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address

Thanks

jwalzerpitt
Influencer

Kamelsh,

Please see reply to jnudell_2 as the suggested regex you provided (thx for that) is not pulling all six IPv6 addresses from the event

Thx

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jwalzerpitt

I have updated my answer. Can you please try that?

jwalzerpitt
Influencer

That worked

I modified my search to:

base search
| rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 
| mvexpand Framed_IPv6_Address 
| table Framed_IPv6_Address

and all six IPv6 addresses were returned as values

How do you recommend that I convert this to an automatic search time extraction?

0 Karma

jnudell_2
Builder

Can you provide a sanitized example of your data results?

0 Karma

jwalzerpitt
Influencer

Sanitized event is as follows:

Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers, 

There are six IPv6 addresses that I should have values for the Framed-IPv6-Address field, but only the first one is returned.

I tried running the regex kamlesh suggested - | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0 and I still only get one IPv6 address value returned

Thx

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...