Hi, I just start to use Splunk and stuck on some issue.
I got syslog messages from firewall(src 192.168.77.1) and it is related to "Blocked Web sites" message. I was trying to make daily report based one user's source IP address to attempt blocking sites, but when I put new search string with 'src'. It kept getting firewall src IP instead of user src IP. How do you make Splunk distinguishs those?
Here is raw info and there are two 'src'.
Sep 11 20:15:36 192.168.77.1 Sep 11 20:15:39 2012 zywall src="192.168.88.126:60122" dst="67.228.197.199:80" msg="URL:fs.teamlava.com/api.php?cv=2.0.1&method=getBoardForProfileId&ctx=SocialViewController&nflrt=2012-09-06%2019%3A52%3A25&st=24" note="WEB DEBUG" user="unknown" devID="5067f0181086" cat="Blocked Web Sites"
host=192.168.77.1 Options| source=udp:514 Options| date_hour=20 Options| src=192.168.77.1 Options| user=unknown
Any advice will be really appreciated.
Thank you
Chris
You might want to do this in your search like this :
| rex "src=(?<sources>[0-9.]+)" max_match=2 | eval src1=mvindex(sources,0) | eval src2=mvindex(sources,-1) | table src1 src2
If this is a regular thing, then you might want to look at this
The MV_ADD directive tells splunk to make fields multivalue if a field is repeated.
Thank you for the comments and you are right your suggestion is useful on event by event basis. I learned some logic from your search string. Really appreciated it.
By the way, I found what I want thru "interactive extract field" option and regex pattern for the second 'src'/user is (?i) src="(?P
Now I know how I can customize raw data.
Again, thank you for your help.
No. The extracion is done on an event by event basis.
With this extraction, every result will have a src1 and a src2
So, if i'm reading the question correctly, src1 will be the firewall IP and src2 will be the user IP.
If you have a specific search requirement (like listing the top user IPs) post it up..
John,
Thank you for your time and answer.
I just tried your suggestion and realized that src2 stuck with one IP value. About 120 users in my network, meaning 120 IP addresses can be on src2. Do i need to create eval src2, src3, src4, src5 ......src120???
As you suggested, I am reviewing MV_ADD option, but I guess I will take a time to apply.
Thank you
Chris