Splunk Search

Can I process ASA Built and Teardown as a single event ?

mikesr
Explorer

Hi,

can anyone please answere if it is possible to process ASA Built and Teardown messages of the single connection as a single event.
ASA generates Built message when TCP/UDP connection established over the firewall and Terdown message when closing the connection. Unfortunately some data are missing in each type of message.
(e.g. dirction is just in Built or duration is just in Teardown).
What I what to do is process both messages for each connection as the single merdged "connection" event so that I can make a select or a graf using "connection" events instead of single Built or Teardown events.

Thanx in advance.
Roman

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)

mikesr
Explorer

Transaction command works very well.

Thanks for the hint.

0 Karma

lukejadamec
Super Champion

I'm pretty sure you can use transaction for that. Can you post a build and teardown event for a connection?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...