Hi everybody,
I am trying to use splunk> to extract some information from a set of IIS log files. Basically, I am working on a IPV6 vs IPV4 report. Yesterday, I did some tests at home, and everything worked fine. However, today at customer site, I have detected an strange behavior on splunk>
I have attached a picture so you can easily see what I am talking about:
Here it is the picture if does not fit on your browser:
http://i55.tinypic.com/mhx5i.png
Apparently, splunk> tries to shrink the IPV6 address, but it uses :: even though the real address is not filled with zeros. And therefore, my regExp does not work fine, because it is for fully fledged IPV6 addresses. Anyway, I could work in other regExp but the main point is that I am afraid splunk> is not indexing the information properly, shrinking IPV6 addresses when is not allowed.
Thanks in advance
I don't think that Splunk is mangling your field value but rather that the "c_ip" field is not extracted from the location you expect in the event :
It looks like some app that you have installed is performing the extraction of the "c_ip" field by default. I would recommend that you check the other fields extracted, as one of them might contain the value you care about but under a field name other than "c_ip".
Finally, if the value you care for is not being extracted at all, I recommend that you create your own field extraction following these instructions from our online documentation :
http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime
...and using one of these fine regular expressions tailored for IPv6 addresses :
http://splunk-base.splunk.com/answers/8435/ipv6-addresses-parsed-properly