https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668296#M229267 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262383">@Hami-g</a>,</P><P><A href="https://splunkbase.splunk.com/app/1620" target="_self">Splunk Add-on for Cisco ASA</A> provides the recommended knowledge objects for message 302014:</P><P>| eval bytes_per_second=bytes/duration</P><P>Specifically, the add-on includes a transform for field extractions and a field for duration:</P><PRE># transforms.conf<BR /><BR />[cisco_asa_message_id_302014_302016]<BR />REGEX = -30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_@\.]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?<BR />FORMAT = action::$1 transport::$2 session_id::$3 src_interface::$4 src_ip::$5 src_host::$6 src_port::$7 src_nt_domain::$8 src_user::$9 dest_interface::$10 dest_ip::$11 dest_host::$12 dest_port::$13 dest_nt_domain::$14 dest_user::$15 duration_day::$16 duration_hour::$17 duration_minute::$18 duration_second::$19 bytes::$20 reason::$21 teardown_initiator::$22 reason::$23 user::$24<BR /><BR /># props.conf<BR /><BR />[cisco:asa]<BR /># ...<BR />EVAL-duration = ((coalesce(duration_day, 0))*24*60*60) + (duration_hour*60*60) + (duration_minute*60) + (duration_second)</PRE><P>&nbsp;</P> Sat, 11 Nov 2023 02:01:38 GMT tscroggins 2023-11-11T02:01:38Z https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668294#M229265 <P>I can see logs from Cisco ASA firewall to Splunk and we are getting logs when a connection close. It have the total data send with bytes.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Nov 1 12:19:48 ASA-FW-01 : %ASA-6-302014: Teardown TCP connection 4043630532 for INSIDE-339:192.168.42.10/37308 to OUTSIDE-340:192.168.36.26/8080 duration 0:00:00 bytes 6398 TCP FINs from INSIDE-VLAN339</LI-CODE><P>&nbsp;</P><P>I am unable to see bytes as a valid field.&nbsp; I tried to create Extract New Fields for this.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">^(?:[^:\n]*:){8}\d+\s+(?P&lt;BYTES&gt;\w+\s+)</LI-CODE><P>&nbsp;</P><P>But when I use in the search it fails.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=asa_* src_ip = "192.168.42.10" | rex field=_raw DATA=0 "^(?:[^:\n]*:){8}\d+\s+(?P&lt;BYTES&gt;\w+\s+)"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><FONT color="#FF0000"><STRONG>OBJECTIVE</STRONG> </FONT>:&nbsp; Calculate Server throughput for flows using Cisco ASA logs.&nbsp; &nbsp;So view the network throughput for the flows using splunk.&nbsp;</P> Sat, 11 Nov 2023 01:49:42 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668294#M229265 Hami-g 2023-11-11T01:49:42Z https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668296#M229267 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262383">@Hami-g</a>,</P><P><A href="https://splunkbase.splunk.com/app/1620" target="_self">Splunk Add-on for Cisco ASA</A> provides the recommended knowledge objects for message 302014:</P><P>| eval bytes_per_second=bytes/duration</P><P>Specifically, the add-on includes a transform for field extractions and a field for duration:</P><PRE># transforms.conf<BR /><BR />[cisco_asa_message_id_302014_302016]<BR />REGEX = -30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_@\.]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?<BR />FORMAT = action::$1 transport::$2 session_id::$3 src_interface::$4 src_ip::$5 src_host::$6 src_port::$7 src_nt_domain::$8 src_user::$9 dest_interface::$10 dest_ip::$11 dest_host::$12 dest_port::$13 dest_nt_domain::$14 dest_user::$15 duration_day::$16 duration_hour::$17 duration_minute::$18 duration_second::$19 bytes::$20 reason::$21 teardown_initiator::$22 reason::$23 user::$24<BR /><BR /># props.conf<BR /><BR />[cisco:asa]<BR /># ...<BR />EVAL-duration = ((coalesce(duration_day, 0))*24*60*60) + (duration_hour*60*60) + (duration_minute*60) + (duration_second)</PRE><P>&nbsp;</P> Sat, 11 Nov 2023 02:01:38 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668296#M229267 tscroggins 2023-11-11T02:01:38Z https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668303#M229272 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262383">@Hami-g</a>&nbsp;,</P><P>you regex isn't correct, please try this:</P><LI-CODE lang="markup">^(?:[^:\n]*:){8}\d+\s+bytes\s(?P&lt;BYTES&gt;\w+\s+)</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/BGPGr9/1" target="_blank">https://regex101.com/r/BGPGr9/1</A></P><P>Ciao.</P><P>Giuseppe</P> Sat, 11 Nov 2023 06:45:43 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-any-Server-network-throughput-from-Cisco-ASA-logs/m-p/668303#M229272 gcusello 2023-11-11T06:45:43Z