Archive

Windows Firewall log

hafizuddin
Path Finder

Hi, im newbie for splunk enterprise

I had a log file for windows firewall that I already point to Splunk via universal forwarder and splunk read as per below:

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 58.139.24.118 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 114.133.193.1 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall
**

I just want to create a table form this log where I need to split variable like source IP, destination IP and time. I had try to used pivot function but the variable it not shown for those i need.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Have you done any field extractions or are you using a Technology Addon (TA) that is giving you any field extractions? If not, that is your first problem. Once you have the field extractions, you can simply display a table of the data with:

<your_base_search> | table *

or you can define which of the fields you want displayed in your table with:

<your_base_search> | table field, field2, field3

But you do have to have fields being extracted for either of these to do anything useful. Here is a useful document to get you started in creating your own automatic field extraction:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma

HiroshiSatoh
Champion

If the field is not displayed only for a specific user, I think that it is a matter of authority. Please check the permission setting of field extraction.

Fields » Field extractions
OR
Fields » Field transformations

0 Karma

HiroshiSatoh
Champion

What can not be displayed?
Is it a field? Is it a pivot table?

0 Karma

hafizuddin
Path Finder

it is a Field...

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.