- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Map a field to a value within the log file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Map a field to a value within the log file
I am working with clock sync log files. The top 3 lines have the ip address -> MAC address mapping... The rest of the lines have the offset and sync-delay details of each host with the MAC address. (format shown below). Is it possible to extract the ip address from the first three lines and map it to each log entry in my offset report.
{ "node": {"port-id": "000f:53ff:fe59:f640.1", "domain": 3, "address": "10.0.0.1" } }
{ "node": {"port-id": "000f:53ff:fe59:f720.1", "domain": 1, "address": "10.0.0.2" } }
{ "node": {"port-id": "000f:53ff:fe59:f620.2", "domain": 0, "address": "10.0.0.3" } }
{ "rx-event": {"monitor-seq-id": 0, "monitor-timestamp": "2018-01-02 03:24:08.454728", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18218, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863478.454504073 } }
{ "rx-event": {"monitor-seq-id": 1, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18219, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863479.454501525 } }
{ "rx-event": {"monitor-seq-id": 2, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18220, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863480.454500265 } }
{ "rx-event": {"monitor-seq-id": 3, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18221, "offset-from-master": -13.000000, "mean-path-delay": 1773.000000, "sync-ingress-timestamp": 1514863481.454496428 } }
{ "rx-event": {"monitor-seq-id": 4, "monitor-timestamp": "2018-01-02 03:24:08.454731", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18222, "offset-from-master": 20.000000, "mean-path-delay": 1781.000000, "sync-ingress-timestamp": 1514863482.454495132 } }
{ "rx-event": {"monitor-seq-id": 5, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18223, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863483.454491258 } }
{ "rx-event": {"monitor-seq-id": 6, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18224, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863484.454488702 } }
{ "rx-event": {"monitor-seq-id": 7, "monitor-timestamp": "2018-01-02 03:24:08.454733", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18225, "offset-from-master": 15.500000, "mean-path-delay": 1767.500000, "sync-ingress-timestamp": 1514863485.454487436 } }
{ "rx-event": {"monitor-seq-id": 8, "monitor-timestamp": "2018-01-02 03:24:08.788909", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47448, "offset-from-master": 26.500000, "mean-path-delay": 1894.500000, "sync-ingress-timestamp": 1514863478.788863443 } }
{ "rx-event": {"monitor-seq-id": 9, "monitor-timestamp": "2018-01-02 03:24:08.788910", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47449, "offset-from-master": 9.000000, "mean-path-delay": 1897.000000, "sync-ingress-timestamp": 1514863479.788860880 } }
{ "rx-event": {"monitor-seq-id": 10, "monitor-timestamp": "2018-01-02 03:24:08.788911", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47450, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863480.788858317 } }
{ "rx-event": {"monitor-seq-id": 11, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47451, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863481.788857043 } }
{ "rx-event": {"monitor-seq-id": 12, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47452, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863482.788853191 } }
{ "rx-event": {"monitor-seq-id": 13, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47453, "offset-from-master": -1.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863483.788851917 } }
{ "rx-event": {"monitor-seq-id": 14, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47454, "offset-from-master": -3.500000, "mean-path-delay": 1893.500000, "sync-ingress-timestamp": 1514863484.788848072 } }
I am new to Splunk and regex... please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This line here should extract the data you need...
| rex "\"port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*?\"address\":\s+ \"(?<address>\d+\.\d+\.\d+\.\d+)/""
Here's an example of one way you could proceed:
| makeresults
| eval mydata="{ \"node\": {\"port-id\": \"000f:53ff:fe59:f640.1\", \"domain\": 3, \"address\": \"10.0.0.1\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f720.1\", \"domain\": 1, \"address\": \"10.0.0.2\" } }!!!!!{ \"node\": {\"port-id\": \"000f:53ff:fe59:f620.2\", \"domain\": 0, \"address\": \"10.0.0.3\" } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 0, \"monitor-timestamp\": \"2018-01-02 03:24:08.454728\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18218, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863478.454504073 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 1, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18219, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863479.454501525 } }!!!!!{ \"rx-event\": {\"monitor-seq-id\": 2, \"monitor-timestamp\": \"2018-01-02 03:24:08.454730\", \"node\": \"000f:53ff:fe59:f640.1\", \"parent-port\": \"ec46:70ff:fe00:be6d.1\", \"sync-seq\": 18220, \"offset-from-master\": -11.000000, \"mean-path-delay\": 1771.000000, \"sync-ingress-timestamp\": 1514863480.454500265 } }"
| makemv delim="!!!!!" mydata
| mvexpand mydata
| rename COMMENT as "The above just creates test data."
| rename COMMENT as "This pulls the node and addess off the MAC address mapping records"
| rex field=mydata "port-id\":\s+\"(?<node>[0-9a-fA-F:.]{21})\",.*\"address\":\s+?\"(?<address>\d+\.\d+\.\d+\.\d+)\""
| eval killme=case(isnotnull(address),"killme")
| rename COMMENT as "This pulls the node off the log entries - you need to do whatever else here that you want for the report"
| rex field=mydata "node\":\s+\"(?<node>[0-9a-fA-F:.]{21})\""
| rename COMMENT as "Now we roll the address from the MAC to the log records"
| eventstats max(address) as address by node
| rename COMMENT as "and kill the unneeded MAC records"
| where isnull(killme)
| rename COMMENT as "Or you can wait until this point and NOW do whatever else here that you want for the report"
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
