Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to put a conditional statement in a field extraction?

brent_weaver
Builder
‎11-01-2016 11:50 AM

I have files I am ingesting that have variable formats. I want to pick those lines out that only have an IP address as the third value and extract that as srcIP. Is this possible to essentially put a conditional statement in so I don't get all the garbage from the "other" data in the logs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-01-2016 12:45 PM

if the IP you are looking for is before %ASA then try this which will save that in srcIP field:

yourBasequery
| rex "(?<srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s%ASA"
| user srcIP here

check the extraction here

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-01-2016 12:45 PM

if the IP you are looking for is before %ASA then try this which will save that in srcIP field:

yourBasequery
| rex "(?<srcIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s%ASA"
| user srcIP here

check the extraction here

0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎11-01-2016 01:41 PM

I was able to solve this by using field extractor in the webui. It gave me the ability to say a string is "required" which would filter for %ASA. I was then able to utilize it to build my regular expression and it worked very nicely

0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎11-01-2016 12:35 PM

We may see this:

Oct 31 13:48:30 10.251.44.137 %ASA-4-106023: Deny tcp src clc:10.40.2.13/59318 dst outside:46.6.11.38/3389 by access-group "clc_in" [0x0, 0x0]

Or 

Oct 31 13:48:30 10.251.44.137 %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 8 per second, max configured rate is 5; Cumulative total count is 5176

I guess one could say I want only the lines that have %ASA in them. How do I do that?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-01-2016 12:44 PM

I don't understand. both of these events have %ASA in them. Also, is your intention to drop the events you don't want completely (not indexed) or keep the events but not extract the src_ip field?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-01-2016 12:44 PM

Which ip address value you want to pick? could you highlight?

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-01-2016 12:28 PM

It should be possible. Can you post some example events?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...