Map a field to a value within the log file

neltonk · ‎02-07-2018

I am working with clock sync log files. The top 3 lines have the ip address -> MAC address mapping... The rest of the lines have the offset and sync-delay details of each host with the MAC address. (format shown below). Is it possible to extract the ip address from the first three lines and map it to each log entry in my offset report.

{ "node": {"port-id": "000f:53ff:fe59:f640.1", "domain": 3, "address": "10.0.0.1" } }
{ "node": {"port-id": "000f:53ff:fe59:f720.1", "domain": 1, "address": "10.0.0.2" } }
{ "node": {"port-id": "000f:53ff:fe59:f620.2", "domain": 0, "address": "10.0.0.3" } }
{ "rx-event": {"monitor-seq-id": 0, "monitor-timestamp": "2018-01-02 03:24:08.454728", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18218, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863478.454504073 } }
{ "rx-event": {"monitor-seq-id": 1, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18219, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863479.454501525 } }
{ "rx-event": {"monitor-seq-id": 2, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18220, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863480.454500265 } }
{ "rx-event": {"monitor-seq-id": 3, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18221, "offset-from-master": -13.000000, "mean-path-delay": 1773.000000, "sync-ingress-timestamp": 1514863481.454496428 } }
{ "rx-event": {"monitor-seq-id": 4, "monitor-timestamp": "2018-01-02 03:24:08.454731", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18222, "offset-from-master": 20.000000, "mean-path-delay": 1781.000000, "sync-ingress-timestamp": 1514863482.454495132 } }
{ "rx-event": {"monitor-seq-id": 5, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18223, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863483.454491258 } }
{ "rx-event": {"monitor-seq-id": 6, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18224, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863484.454488702 } }
{ "rx-event": {"monitor-seq-id": 7, "monitor-timestamp": "2018-01-02 03:24:08.454733", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18225, "offset-from-master": 15.500000, "mean-path-delay": 1767.500000, "sync-ingress-timestamp": 1514863485.454487436 } }
{ "rx-event": {"monitor-seq-id": 8, "monitor-timestamp": "2018-01-02 03:24:08.788909", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47448, "offset-from-master": 26.500000, "mean-path-delay": 1894.500000, "sync-ingress-timestamp": 1514863478.788863443 } }
{ "rx-event": {"monitor-seq-id": 9, "monitor-timestamp": "2018-01-02 03:24:08.788910", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47449, "offset-from-master": 9.000000, "mean-path-delay": 1897.000000, "sync-ingress-timestamp": 1514863479.788860880 } }
{ "rx-event": {"monitor-seq-id": 10, "monitor-timestamp": "2018-01-02 03:24:08.788911", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47450, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863480.788858317 } }
{ "rx-event": {"monitor-seq-id": 11, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47451, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863481.788857043 } }
{ "rx-event": {"monitor-seq-id": 12, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47452, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863482.788853191 } }
{ "rx-event": {"monitor-seq-id": 13, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47453, "offset-from-master": -1.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863483.788851917 } }
{ "rx-event": {"monitor-seq-id": 14, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47454, "offset-from-master": -3.500000, "mean-path-delay": 1893.500000, "sync-ingress-timestamp": 1514863484.788848072 } }

I am new to Splunk and regex... please help.

DalJeanis · ‎02-07-2018

This line here should extract the data you need...

| rex "\"port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*?\"address\":\s+ \"(?<address>\d+\.\d+\.\d+\.\d+)/""

Here's an example of one way you could proceed:

| makeresults
| eval mydata="{ \"node\": {\"port-id\": \"000f:53ff:fe59:f640.1\", \"domain\": 3, \"address\": \"10.0.0.1\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f720.1\", \"domain\": 1, \"address\": \"10.0.0.2\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f620.2\", \"domain\": 0, \"address\": \"10.0.0.3\" } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 0, \"monitor-timestamp\": \"2018-01-02 03:24:08.454728\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18218, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863478.454504073 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 1, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18219, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863479.454501525 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 2, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18220, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863480.454500265 } }"
| makemv delim="!!!!!" mydata 
| mvexpand mydata
| rename COMMENT as "The above just creates test data."

| rename COMMENT as "This pulls the node and addess off the MAC address mapping records" 
| rex field=mydata "port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*\"address\":\s+?\"(?<address>\d+\.\d+\.\d+\.\d+)\""

| eval killme=case(isnotnull(address),"killme")

| rename COMMENT as "This pulls the node off the log entries - you need to do whatever else here that you want for the report"
| rex field=mydata "node\":\s+\"(?<node>[0-9a-fA-F:.]{21})\""

| rename COMMENT as "Now we roll the address from the MAC to the log records"
| eventstats max(address) as address by node

| rename COMMENT as "and kill the unneeded MAC records"
| where isnull(killme)

| rename COMMENT as "Or you can wait until this point and NOW do whatever else here that you want for the report"

Map a field to a value within the log file

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!