Dashboards & Visualizations

Cisco ASA Tcp / UDB Builds in the same graph

nelsons
New Member

Hi

I am new to splunk so please bear with me if this is a noob kinda question. I am taking syslogs from our Cisco ASA 5510 and have managed to create a single graph of all the denied traffic to the external FW interface.

I would now like to create a graph with two elements to it, the are all the FW Builds for both TCP and UDP packets, I can create the search to show either TCP or UDP builds or a search to show both but I am unsure how to show both on the same graph for my dashboard.

Any help would be great.

Thanks

Steve

Tags (3)
0 Karma

Simeon
Splunk Employee
Splunk Employee

Without knowing the exact searches you are running, it will be difficult to provide the complete answer. However, we can suggest the method to form the search. In theory, you would just group the chart/graph by the type of packet. If you have a field that identifies the traffic, then you would just chart "by field_name". For example, if I had a field that defines my protocol, and I had a sourcetype of syslog, I would do something like:

index=network_stuff sourcetype=syslog | timechart count by protocol

This assumes that I have extracted a field in these events that identifies the correct protocol (as TCP or UDP). You could also create an eventtype that identifies each type of event, then chart "by eventtype".

======UPDATE=======

If the events look something like this:

9/21/10 08:57:00  Host="x.x.x.x" Built outbound TCP connection for outside
9/21/10 08:57:00  Host="x.x.x.x" Built outbound UDP connection for outside

Where the TCP and UDP define the traffic type, the suggested way to leverage your data is to extract a field called protocol. You can use the interactive field extractor, or use a regex with the rex command as follows:

rex "outbound (?<protocol>.*[^ ]) connection" 

In total, your search would look like:

index=network_stuff sourcetype=syslog | rex "outbound (?<protocol>.*[^ ]) connection" | timechart count by protocol
0 Karma

nelsons
New Member

Info : my eventtypes are :

host="x.x.x.x" Built outbound TCP connection for outside

host="x.x.x.x" Built outbound UDP connection for outside

and when I search using these I find exactly the data I am looking for

0 Karma

nelsons
New Member

I'm not sure this is going to work for me, because as well as the firewall builds there are also the associated teardowns when the connection timer expires, these are also based on TCP or UDP.

surely if I can search the logs and get the responses I want to see with two different eventtypes (one for TCP and one for UDP) I can display them on the same graph??

0 Karma

nelsons
New Member

Thanks Simeon, I do have an eventtype so I'll try that. Many thanks !

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...