Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with the following query?

vrmandadi
Builder
‎02-25-2019 12:28 PM

Hello,

I am trying to calculate the RTT time of a host where the IP is in a different source, and the rtt time is in different source. The common field is a field extraction I have done, which is called ID

Source1 -Has hexa ip

index=abc sourcetype=xyz source=*back* *0x*
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" 
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) 
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"

Source2- has RTT time which is an extracted field

index=msad sourcetype=snmp source=*MAX* 
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"

Sample event source1

SNMPv2-SMI::enterprises."9.9.42.1.3.2.1.8.2135576845.1109857196.1.1" = "0x0a160205"

Sample event source2

SNMPv2-SMI::enterprises."9.9.42.1.3.1.1.11.2020016708.1109857176.1.1.1" = "177"

The common field is the ID in the above event. The value is 1109857196. I want to get the RTT time ,IP and ID field in a table by combining these two sources, whose index and sourcetype are the same.

Thanks,

Vineeth

0 Karma
Reply

Vijeta
Influencer
‎02-25-2019 06:42 PM 
index=abc sourcetype=snmp ((source=*back* *0x* ) OR source=*MAX*)
 | rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
 | rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" 
 | eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) 

 | stats values(ip) as ip values(RTT) as RTT by ID
0 Karma
Reply

somesoni2
Revered Legend
‎02-25-2019 12:46 PM

Give this a try

(index=abc sourcetype=xyz source=*back* *0x*) OR (index=msad sourcetype=snmp source=*MAX*)
| rex field=_raw "\.\"\d.\d.\d{2}.\d.\d.\d.\d.\d{1,2}.\d{10}.(?<ID>[^.]+)"
| rex "(?i)0x(?<d1>[0-9A-F]{2})(?<d2>[0-9A-F]{2})(?<d3>[0-9A-F]{2})(?<d4>[0-9A-F]{2})" 
| eval ip=tostring(tonumber(d1,16))+"."+tostring(tonumber(d2,16))+"."+tostring(tonumber(d3,16))+"."+tostring(tonumber(d4,16)) 
| rex field=_raw "\"(?<RTT>[^\"]+)\"$"
| stats values(ip) as ip values(RTT) as RTT by ID
0 Karma
Reply

vrmandadi
Builder
‎02-25-2019 02:16 PM

Hello @somesoni2

I tried your query but the RTT field is showing blank .Just a small change both the sourcetypes are same but sources are different

0 Karma
Reply

somesoni2
Revered Legend
‎02-25-2019 02:21 PM

In your sample event 2, I'm taking "177" as RTT (which I'm assuming comes at end of the raw data). If that is not correct the you'd have to update the regex (2nd last line) for RTT.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...