Splunk Search

how do I manipulate string data in tstats results?

MonkeyK
Builder

I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources.

One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:"
That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:"

I have tried

|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>"  Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src

for which I end up with an empty field called src

and (longshot)

|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName"  Authentication.action="failure" by ltrim(Authentication.src,"::ffff:")

which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)'

if it matters, here is the larger query

sourcetype=DhcpSrvLog  "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search]  | table time dest dest_ip
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>"  Authentication.action="failure" by Authentication.src | eval src=replace('Authentication.src',"::ffff:","") | fields src

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

|tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>"  Authentication.action="failure" by Authentication.src | eval src=replace('Authentication.src',"::ffff:","") | fields src

MonkeyK
Builder

Perfect. that does it! I guess that I need the field name in single quotes. Did not realize that.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, for field names which contains special characters like colon, dot, space etc (underscore is fine).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...