- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Help extracting fields (IPs and Ports) from a spec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help extracting fields (IPs and Ports) from a specific syslog message
Can anyone assist with extracting the IP addresses and ports from this syslog message? I tried the 'extract fields' tool but was not successful.
Jul 21 14:09:23 192.168.1.1 HOSTNAME: NetScreen device_id=HOSTNAME [Root]system-alert-00016: Port scan! From 1.1.1.1:80 to 2.2.2.2:7136, proto TCP (zone Untrust int ethernet3). Occurred 1 times. (2011-07-21 09:09:17)
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use props.conf to call transforms.conf
you can then build your regex
# props.conf
[source::fromSomewhere]
TRANSFORMS-getIP = from-to-ips
# transforms.conf
[from-to-ips]
# From 1.1.1.1:80 to 2.2.2.2:7136, proto
REGEX = From ([0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\:[0-9]{1-5}) to ([0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\:[0-9]{1-5}), proto
FORMAT = FromIP::$1 ToIP::$2
depending on how strict you want your ip:port matching to be, you can tighten your regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could build a custom transform.
http://www.splunk.com/base/Documentation/4.2.2/Data/Advancedsourcetypeoverrides
I've been playing around with this alot lately.
For example...
16:31:55.879529 00:16:0a:0b:92:fb >
ff:ff:ff:ff:ff:ff, ethertype IPv4
(0x0800), length 150:
192.168.3.2.42090 > 192.168.3.255.111: UDP, length 108
Is formatted with;
[tcpdump_basic] REGEX = ([^ ]+)([
])([^ ]+) ([>]) ([^,]+)([^ ]) ([^ ]+)
([^ ]+) ([^ ]+) ([^ ]+[^:]+) ([^ ]+)
([1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2})([.]+)([^>]+)
([>])
([1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2})([.]+)([^:]+)([^
]+) ([^ ]+)([,]+)FORMAT = timestamp::$1 src_mac::$3
dest_mac::$5 net_layer::$8
source_host::$12 source_port::$14
destin_host::$16 destin_port::$18
protocol::$20
The above goes in transforms.conf and then I just pop the following bit in props.conf
REPORT-tcpdump_basic = tcpdump_basic
You need to do a little bit more in props to define a sourcetype but you get the general idea. Don't let the regex scare you either. Copy and paste the regex and my example text to http://gskinner.com/RegExr/ and then hover over the highlighted output. It breaks down what each group relates to.
Now in my search window it correctly picks out all the right fields with the names I've defined.
Maybe slightly easier - there is a new version of the field extractor on apps that is apparently alot better than the baked in one if you don't already have it
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
