Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

srcip having numeric number

pavanbmishra
Path Finder
‎11-05-2020 09:43 AM

Hi All,

While analyzing the firewall logs, i could see src_ip (src) field taking some numeric number also alognwith actual ip address, sharing the below sample log where it is grabing src is 5864897 the numric one just after PASS. 

Nov 5 17:37:57 abcxyz.com fwlogs:[27999] match PASS 5864897/5893553 IN 60 TCP 10.10.10.10/4655->10.20.20.20/443 S

I extracted field as below for src, still it is not getting parsed and taking numeric value. Kindly help

(TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)/

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:04 PM

Hi @pavanbmishra,

probably your logs are different than the one you shared because the regex is correct:

ppp.png

Could you share other samples?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 10:08 AM

Thanks gcusello,

I try this also, still no luck. same issue

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:04 PM

Hi @pavanbmishra,

probably your logs are different than the one you shared because the regex is correct:

ppp.png

Could you share other samples?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 11:19 PM

Yeah it is, by the way many thanks for being helping hand

Even i try this and it is working on regex101 but not working under extracted field, here is the below sample log

Nov 6 07:13:43 xyz.com dflogs:[13223] match PASS 5864435/5893003 IN 52 TCP 10.10.10.10/62203->10.20.20.20/443 SEW

Also wanted to highlight that src and src_ip field ia already there and i am overwritting the regex using field extraction, would that work? or is there anything else i need to look into here.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 11:25 PM

Hi @pavanbmishra,

I don't understand why you want to overwrite the srcip value, anyway, the regex is correct and runs also in Splunk not only in regex101

gcusello_0-1604647482264.png

As i said probably there's something different in your logs.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

pavanbmishra
Path Finder
‎11-05-2020 11:31 PM

Yes  gcusello , exactly it is working in Splunk as well. 

Moto behind creating this filed extraction is there are some numeric values also being captured along with ip address.  And i wanted to exclude those numeric values here. any suggestion would be highly appreciated here

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-06-2020 12:17 AM

Hi @pavanbmishra,

could you explay better this new situation?

what do you mean with "there are some numeric values also being captured along with ip address"?

if you use my above regex you can only take values in IP4 format.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2020 09:58 AM

Hi @pavanbmishra,

the problem is the final slash "/" that must be escaped:

| rex "(TCP|FIN|RST|TIMEOUT)\s(?<srcip>\d+\.\d+\.\d+\.\d+)\/"

that you can test at https://regex101.com/r/YTmopO/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...