Splunk Search

SPLUNK Search derived from Stream app produces strange result...

heskez
New Member

Hi there, when I run this search:

index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3) | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"

It produces this result:
alt text

As you'll notice the other half of source and destination ipaddresses are missing.

Is this: ????

  • Because the flow data doesn't arrive properly in SPLUNK
  • The stream app needs more configuring
  • Search syntax is wrong

I'd highly appreciate an answer on this.
Thanks in advance!

Erik

0 Karma
1 Solution

nryabykh
Path Finder

Hi!

In these commands:
| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)

you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with:
| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4

By the way, are you sure you need such conversion? I'm guessing, src_ip and dest_ip contains the whole and correct IP addresses, and you can use them instead of source_ip and destination_ip.

View solution in original post

0 Karma

heskez
New Member

Anyone?
WIth advice?

0 Karma

heskez
New Member

I've now this search:

index=* source="stream:*" source="stream:fortistream"
|table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)

But how do I make sure the values of scr_ip and dest_ip belong together within the same data flow?

0 Karma

heskez
New Member

Basically this will work for me:

index=* source="stream:*" source="stream:fortistream" 
|table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)

So what do I need this crazy search that comes with the stream app datamodel for then?
Why did they set it up like this?

0 Karma

nryabykh
Path Finder

Hi!

In these commands:
| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)

you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with:
| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4

By the way, are you sure you need such conversion? I'm guessing, src_ip and dest_ip contains the whole and correct IP addresses, and you can use them instead of source_ip and destination_ip.

0 Karma

heskez
New Member

Thanks! When I convert the syntax like this:

index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | | eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4 | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"

It produces an error message: Error in 'SearchParser': Missing a search command before '|'. Error at position '235' of search query 'search index=* source=stream:Splunk_IP | rex field...{snipped} {errorcontext = OT null | | eval sour}'.

You'd say you don't need the source_ip, however it's part of the data model. If I try search on src_ip I don't get any data.. Or.. I'm doing wrong search, what would be the search syntax then?

0 Karma

p_gurav
Champion

This is happening because you are using round function. can you try to remove it?

0 Karma

heskez
New Member

Thanks, I wonder why they even use the round function on an ipaddress!? 🙂
Anyway, if I remove it I mess up the syntax completely..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...