Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex for arpwatch extractions

ehoward
Path Finder
‎04-03-2014 12:56 PM

Does anyone have any field extraction regexes for arpwatch they could share? I could probably figure it out eventually but regexes are not my idea of fun.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎04-03-2014 10:49 PM

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

View solution in original post

Reply
Solved! Jump to solution

sbrant_splunk
Splunk Employee
Splunk Employee
‎04-03-2014 10:50 PM

given that your record looks like this:

Apr  3 23:33:25 splunkiron arpwatch: new station 192.168.1.229 80:ea:96:b8:3:e3

You should be able to use this regex:

^(?:[^\s]+\s+){3}(?<host>[^\s]+)\s+(?<process>[^:]+):\s+(?<message>[^\d]+)(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac>.*)

If you provide some log samples and the fields you'd like extracted, I can be more precise.

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎04-03-2014 10:49 PM

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

Reply
Solved! Jump to solution

MuS
Legend
‎04-04-2014 06:43 AM

You're welcome. Please tick the tick in this case to mark this as answered - thx

0 Karma
Reply
Solved! Jump to solution

ehoward
Path Finder
‎04-04-2014 06:39 AM

Thank you all for you answers. I really appreciate all the help. I have fought my way through regexes before but if you don't do it every day it can be frustrating to pick it all up again. The samples you have provided me are a great start. Once I get all my fields properly defined I will post what I have.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎04-03-2014 12:58 PM

You could of your data and what you want to extract.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...