We have updated our Terms of Service, Code of Conduct, and Addendum.

Re-write host field for Splunk

Steve Bridge
Steve Bridge Posts: 30
in General Discussions

Hello, this is probably simple, but I can’t get it to work. I just want to remove IPV6 encapsulation from the host field of events arriving at Cribl via syslog. So, existing host field is ::ffff:10.1.1.1, I want it to be just 10.1.1.1. For some reason I can’t get this to work, Splunk shows a null value for host when I try to EVAL, MASK, REGEX, etc. Anyone have a way to do this?

Best Answer

  • Chris
    Chris Posts: 13 mod
    edited July 2023 Answer ✓

    Here is how I was able to do it. In my example, I have host set to your example above:

    d8675a0bfb3ce884ad85b8ca2800df98b4e1e210.png

    Then I use the Regex Extract function to extract out the ipv4 address from host:
    Regex is ^(?:[^\d]+)(?<host_regex>.+)$

    dfbaad38bfe1c8fd1b11b993f77000b329795c48.png

    Then I use an Eval function to replace the host value with the host_regex value and then remove the host_regex field.

    09f1fa301a81ff05670e6658834c622b16110003.png

Answers

  • Chris
    Chris Posts: 13 mod
    edited July 2023 Answer ✓

    Here is how I was able to do it. In my example, I have host set to your example above:

    d8675a0bfb3ce884ad85b8ca2800df98b4e1e210.png

    Then I use the Regex Extract function to extract out the ipv4 address from host:
    Regex is ^(?:[^\d]+)(?<host_regex>.+)$

    dfbaad38bfe1c8fd1b11b993f77000b329795c48.png

    Then I use an Eval function to replace the host value with the host_regex value and then remove the host_regex field.

    09f1fa301a81ff05670e6658834c622b16110003.png

Categories