Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove and isolate the SRC_ADDR and Port from a tcpdump

albyva
Communicator
‎12-18-2013 09:21 PM

I've placed tcpdump for my server's interface into a cronjob that is writing the output
to a file. That file is then loaded into Splunk. I'm trying to extract the Source Address and
ports from the tcpdump data, but I'm running into a rex/regex knowledge wall.

17:05:04.419162 IP6 www.espeakers.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:07:00.950849 IP6 jail2.daycos.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:09:06.084146 IP6 greenbee.greenbeefundraising.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:14:07.998611 IP6 pdr-lan.ipv6.xtcn.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

17:19:03.210652 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48

What I'm looking for is the rex syntax that will:

(a) Pull out the Source Address
(b) Pull out the Source Port
(c) Repeat A and B, but on the Destination Address and Port.

I tried the extract wizard, but I can't seem to get it to meet my demands.

Thanks,

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-18-2013 10:13 PM

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

View solution in original post

Reply
Solved! Jump to solution
Solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-18-2013 10:13 PM

Try this:

| rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):"

This assumes what you've listed above is the entirety of each event, and performs the extractions setting the names listed. I tested it using the following two search commands. The first uses your existing format and the second tests to make sure it continues working if name/service resolution either isn't working, or if you decide to modify your tcpdump to not perform resolution.

source="*" | eval _raw="17:05:04.419162 IP6 bonobo.mopidy.com.ntp > myserver.com.ntp: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

source="*" | eval _raw="17:05:04.419162 IP6 127.0.0.1.80 > 127.0.0.1.1234: NTPv4, Client, length 48" | rex field=_raw "(?:\S+\s+){2}(?<src_fqdn>\S+)\.(?<src_svc>\w+)[\s\>]+(?<dst_fqdn>\S+)\.(?<dst_svc>\w+):" | fields src_fqdn, src_svc, dst_fqdn, dst_svc

Regards and good luck.

Reply
Solved! Jump to solution

albyva
Communicator
‎04-25-2014 11:56 AM

Can somebody break out this search so I can create Field Extractions so it's hard coded?

0 Karma
Reply
Solved! Jump to solution

jsie_splunk
Splunk Employee
Splunk Employee
‎12-19-2013 07:01 AM

You're welcome, Im glad it worked.

Reply
Solved! Jump to solution

albyva
Communicator
‎12-19-2013 04:39 AM

Thank You. This rex statement hit the nail on the spot.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...