https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164082#M10580 <P>I have pointed our Juniper firewall to our Splunk installation for logging. My goal is develop a dashboard that we can pull up at any time that tell us the top 20 source addresses and the top 20 destinations in use over a given period of time. I am afraid that I have been striking out so far when it comes to figuring out the search strings needed to produce this dashboard. I am including one syslog event to show what variables there are: </P> <P>2014-02-21 23:59:58 User.Info 172.16.1.1 1 2014-02-21T23:59:52.189 Hostname RT_FLOW - RT_FLOW_SESSION_CLOSE [<A href="mailto:junos@2636.1.1.1.2.58" target="_blank">junos@2636.1.1.1.2.58</A> reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"]</P> Mon, 28 Sep 2020 15:58:03 GMT wilbuchanan 2020-09-28T15:58:03Z https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164082#M10580 <P>I have pointed our Juniper firewall to our Splunk installation for logging. My goal is develop a dashboard that we can pull up at any time that tell us the top 20 source addresses and the top 20 destinations in use over a given period of time. I am afraid that I have been striking out so far when it comes to figuring out the search strings needed to produce this dashboard. I am including one syslog event to show what variables there are: </P> <P>2014-02-21 23:59:58 User.Info 172.16.1.1 1 2014-02-21T23:59:52.189 Hostname RT_FLOW - RT_FLOW_SESSION_CLOSE [<A href="mailto:junos@2636.1.1.1.2.58" target="_blank">junos@2636.1.1.1.2.58</A> reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"]</P> Mon, 28 Sep 2020 15:58:03 GMT https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164082#M10580 wilbuchanan 2020-09-28T15:58:03Z https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164083#M10581 <P>Hi wilbuchanan,</P> <P>this should be pretty easy according your provided log example. Splunk will create the fields for <CODE>source-address</CODE> and <CODE>destination-address</CODE> on it's own, so you just have to use these fields in your search like this:</P> <PRE><CODE>PutYourBaseSearchHere | top limit=20 source-address destination-address </CODE></PRE> <P>this will give you an table like report of each <A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Top">top</A> 20 IP's</P> <P>hope this helps to get you started ...</P> <P>cheers, MuS</P> Mon, 24 Feb 2014 20:29:37 GMT https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164083#M10581 MuS 2014-02-24T20:29:37Z https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164084#M10582 <P>Mus, </P> <P>Thank you for pointers. This did get me started. <BR /> What ended up helping a great deal was to switch to verbose logs (upper left hand side of search window) and then to click on the headings along the left side. I now have really great dashboards for my Juniper syslogs. Thank you for your help!</P> Tue, 25 Feb 2014 02:06:22 GMT https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164084#M10582 wilbuchanan 2014-02-25T02:06:22Z https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164085#M10583 <P>Mus, </P> <P>Thank you for pointers. This did get me started. <BR /> What ended up helping a great deal was to switch to verbose logs (upper left hand side of search window) and then to click on the headings along the left side. I now have really great dashboards for my Juniper syslogs. Thank you for your help!</P> Tue, 25 Feb 2014 02:06:46 GMT https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164085#M10583 wilbuchanan 2014-02-25T02:06:46Z https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164086#M10584 <P>Mus, </P> <P>Thank you for pointers. This did get me started. <BR /> What ended up helping a great deal was to switch to verbose logs (upper left hand side of search window) and then to click on the headings along the left side. I now have really great dashboards for my Juniper syslogs. Thank you for your help!</P> Tue, 25 Feb 2014 02:07:10 GMT https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164086#M10584 wilbuchanan 2014-02-25T02:07:10Z https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164087#M10585 <P>You're welcome, please accept this answer if it was of help - thanks</P> Tue, 25 Feb 2014 06:34:42 GMT https://community.splunk.com/t5/Reporting/Syslog-Reports/m-p/164087#M10585 MuS 2014-02-25T06:34:42Z