Splunk Search

Regex for arpwatch extractions

ehoward
Path Finder

Does anyone have any field extraction regexes for arpwatch they could share? I could probably figure it out eventually but regexes are not my idea of fun.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

View solution in original post

sbrant_splunk
Splunk Employee
Splunk Employee

given that your record looks like this:

Apr  3 23:33:25 splunkiron arpwatch: new station 192.168.1.229 80:ea:96:b8:3:e3

You should be able to use this regex:

^(?:[^\s]+\s+){3}(?<host>[^\s]+)\s+(?<process>[^:]+):\s+(?<message>[^\d]+)(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac>.*)

If you provide some log samples and the fields you'd like extracted, I can be more precise.

MuS
SplunkTrust
SplunkTrust

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

MuS
SplunkTrust
SplunkTrust

You're welcome. Please tick the tick in this case to mark this as answered - thx

0 Karma

ehoward
Path Finder

Thank you all for you answers. I really appreciate all the help. I have fought my way through regexes before but if you don't do it every day it can be frustrating to pick it all up again. The samples you have provided me are a great start. Once I get all my fields properly defined I will post what I have.

0 Karma

lukejadamec
Super Champion

You could of your data and what you want to extract.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...