Solved: How to remove and isolate the SRC_ADDR and Port fr...

albyva · ‎12-18-2013

I've placed tcpdump for my server's interface into a cronjob that is writing the output
to a file. That file is then loaded into Splunk. I'm trying to extract the Source Address and
ports from the tcpdump data, but I'm running into a rex/regex knowledge wall.

17:05:04.419162 IP6 www.espeakers.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:07:00.950849 IP6 jail2.daycos.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:09:06.084146 IP6 greenbee.greenbeefundraising.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:14:07.998611 IP6 pdr-lan.ipv6.xtcn.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:19:03.210652 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

What I'm looking for is the rex syntax that will:

(a) Pull out the Source Address
(b) Pull out the Source Port
(c) Repeat A and B, but on the Destination Address and Port.

I tried the extract wizard, but I can't seem to get it to meet my demands.

Thanks,

jsie_splunk · ‎12-18-2013

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

View solution in original post

jsie_splunk · ‎12-18-2013

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

albyva · ‎04-25-2014

Can somebody break out this search so I can create Field Extractions so it's hard coded?

jsie_splunk · ‎12-19-2013

You're welcome, Im glad it worked.

albyva · ‎12-19-2013

Thank You. This rex statement hit the nail on the spot.

How to remove and isolate the SRC_ADDR and Port from a tcpdump

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!