Splunk Search

Map a field to a value within the log file

neltonk
Path Finder

I am working with clock sync log files. The top 3 lines have the ip address -> MAC address mapping... The rest of the lines have the offset and sync-delay details of each host with the MAC address. (format shown below). Is it possible to extract the ip address from the first three lines and map it to each log entry in my offset report.

{ "node": {"port-id": "000f:53ff:fe59:f640.1", "domain": 3, "address": "10.0.0.1" } }
{ "node": {"port-id": "000f:53ff:fe59:f720.1", "domain": 1, "address": "10.0.0.2" } }
{ "node": {"port-id": "000f:53ff:fe59:f620.2", "domain": 0, "address": "10.0.0.3" } }
{ "rx-event": {"monitor-seq-id": 0, "monitor-timestamp": "2018-01-02 03:24:08.454728", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18218, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863478.454504073 } }
{ "rx-event": {"monitor-seq-id": 1, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18219, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863479.454501525 } }
{ "rx-event": {"monitor-seq-id": 2, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18220, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863480.454500265 } }
{ "rx-event": {"monitor-seq-id": 3, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18221, "offset-from-master": -13.000000, "mean-path-delay": 1773.000000, "sync-ingress-timestamp": 1514863481.454496428 } }
{ "rx-event": {"monitor-seq-id": 4, "monitor-timestamp": "2018-01-02 03:24:08.454731", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18222, "offset-from-master": 20.000000, "mean-path-delay": 1781.000000, "sync-ingress-timestamp": 1514863482.454495132 } }
{ "rx-event": {"monitor-seq-id": 5, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18223, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863483.454491258 } }
{ "rx-event": {"monitor-seq-id": 6, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18224, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863484.454488702 } }
{ "rx-event": {"monitor-seq-id": 7, "monitor-timestamp": "2018-01-02 03:24:08.454733", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18225, "offset-from-master": 15.500000, "mean-path-delay": 1767.500000, "sync-ingress-timestamp": 1514863485.454487436 } }
{ "rx-event": {"monitor-seq-id": 8, "monitor-timestamp": "2018-01-02 03:24:08.788909", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47448, "offset-from-master": 26.500000, "mean-path-delay": 1894.500000, "sync-ingress-timestamp": 1514863478.788863443 } }
{ "rx-event": {"monitor-seq-id": 9, "monitor-timestamp": "2018-01-02 03:24:08.788910", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47449, "offset-from-master": 9.000000, "mean-path-delay": 1897.000000, "sync-ingress-timestamp": 1514863479.788860880 } }
{ "rx-event": {"monitor-seq-id": 10, "monitor-timestamp": "2018-01-02 03:24:08.788911", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47450, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863480.788858317 } }
{ "rx-event": {"monitor-seq-id": 11, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47451, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863481.788857043 } }
{ "rx-event": {"monitor-seq-id": 12, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47452, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863482.788853191 } }
{ "rx-event": {"monitor-seq-id": 13, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47453, "offset-from-master": -1.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863483.788851917 } }
{ "rx-event": {"monitor-seq-id": 14, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47454, "offset-from-master": -3.500000, "mean-path-delay": 1893.500000, "sync-ingress-timestamp": 1514863484.788848072 } }

I am new to Splunk and regex... please help.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This line here should extract the data you need...

| rex "\"port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*?\"address\":\s+ \"(?<address>\d+\.\d+\.\d+\.\d+)/""

Here's an example of one way you could proceed:

| makeresults
| eval mydata="{ \"node\": {\"port-id\": \"000f:53ff:fe59:f640.1\", \"domain\": 3, \"address\": \"10.0.0.1\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f720.1\", \"domain\": 1, \"address\": \"10.0.0.2\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f620.2\", \"domain\": 0, \"address\": \"10.0.0.3\" } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 0, \"monitor-timestamp\": \"2018-01-02 03:24:08.454728\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18218, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863478.454504073 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 1, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18219, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863479.454501525 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 2, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18220, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863480.454500265 } }"
| makemv delim="!!!!!" mydata 
| mvexpand mydata
| rename COMMENT as "The above just creates test data."

| rename COMMENT as "This pulls the node and addess off the MAC address mapping records" 
| rex field=mydata "port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*\"address\":\s+?\"(?<address>\d+\.\d+\.\d+\.\d+)\""

| eval killme=case(isnotnull(address),"killme")

| rename COMMENT as "This pulls the node off the log entries - you need to do whatever else here that you want for the report"
| rex field=mydata "node\":\s+\"(?<node>[0-9a-fA-F:.]{21})\""

| rename COMMENT as "Now we roll the address from the MAC to the log records"
| eventstats max(address) as address by node

| rename COMMENT as "and kill the unneeded MAC records"
| where isnull(killme)

| rename COMMENT as "Or you can wait until this point and NOW do whatever else here that you want for the report"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...