https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532061#M150306 <P>I've tweaked my answer to only look for allowed and teardown actions and then leave only those sessions with the most recent action of "allowed".</P> Fri, 04 Dec 2020 18:03:43 GMT richgalloway 2020-12-04T18:03:43Z https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/531521#M150127 <P>Hello,</P><P>I'm pretty new to SPLUNK and I'm looking for help trying to find ASA open connections between two endpoints.</P><P>Most connections I search for have a 'Built' action and then some time after a corresponding 'teardown' action. I'm looking for those connections that have the 'Built' action&nbsp; but not the 'teardown' action.</P><P>The basic search I have&nbsp;pulls down all of the connections between the two:.&nbsp;</P><P>index="cisco" src_ip="10.55.45.12" dest_ip="10.65.45.20" dest_port=445</P><P>Is there a way to expand this search to find&nbsp; these open connections based on the absence of a teardown?&nbsp;&nbsp;</P><P>Is there a way to&nbsp;</P> Tue, 01 Dec 2020 13:49:12 GMT https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/531521#M150127 FC50 2020-12-01T13:49:12Z https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/531569#M150138 <P>Here's one way to do that.</P><LI-CODE lang="markup">index="cisco" src_ip="10.55.45.12" dest_ip="10.65.45.20" dest_port=445 | dedup session,action | where action="built"</LI-CODE><P>It assumes there is a field called "session" that uniquely identifies a connection between the two points.&nbsp; Change that to match whatever you have in your data.</P> Tue, 01 Dec 2020 17:44:22 GMT https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/531569#M150138 richgalloway 2020-12-01T17:44:22Z https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532059#M150305 <P>Thanks for the response but no joy unfortunately.</P><P>It's still bringing up the thousands of results with the allowed action (I mistakenly called it built earlier) , and not showing just the few that only had the allowed action and not a corresponding teardown.</P><P>The allowed and teardown options do share a field called 'session_id' which is a long number</P> Fri, 04 Dec 2020 17:41:57 GMT https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532059#M150305 FC50 2020-12-04T17:41:57Z https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532061#M150306 <P>I've tweaked my answer to only look for allowed and teardown actions and then leave only those sessions with the most recent action of "allowed".</P> Fri, 04 Dec 2020 18:03:43 GMT https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532061#M150306 richgalloway 2020-12-04T18:03:43Z https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532193#M150339 <P>Cool, thanks. That seems to have done the trick</P> Mon, 07 Dec 2020 13:40:31 GMT https://community.splunk.com/t5/Splunk-Search/ASA-searching-for-current-open-connections-that-have-been-Built/m-p/532193#M150339 FC50 2020-12-07T13:40:31Z