I am new to splunk so please bear with me if this is a noob kinda question. I am taking syslogs from our Cisco ASA 5510 and have managed to create a single graph of all the denied traffic to the external FW interface.
I would now like to create a graph with two elements to it, the are all the FW Builds for both TCP and UDP packets, I can create the search to show either TCP or UDP builds or a search to show both but I am unsure how to show both on the same graph for my dashboard.
Any help would be great.
Without knowing the exact searches you are running, it will be difficult to provide the complete answer. However, we can suggest the method to form the search. In theory, you would just group the chart/graph by the type of packet. If you have a field that identifies the traffic, then you would just chart "by field_name". For example, if I had a field that defines my protocol, and I had a sourcetype of syslog, I would do something like:
index=network_stuff sourcetype=syslog | timechart count by protocol
This assumes that I have extracted a field in these events that identifies the correct protocol (as TCP or UDP). You could also create an eventtype that identifies each type of event, then chart "by eventtype".
If the events look something like this:
9/21/10 08:57:00 Host="x.x.x.x" Built outbound TCP connection for outside 9/21/10 08:57:00 Host="x.x.x.x" Built outbound UDP connection for outside
Where the TCP and UDP define the traffic type, the suggested way to leverage your data is to extract a field called protocol. You can use the interactive field extractor, or use a regex with the rex command as follows:
rex "outbound (?<protocol>.*[^ ]) connection"
In total, your search would look like:
index=network_stuff sourcetype=syslog | rex "outbound (?<protocol>.*[^ ]) connection" | timechart count by protocol
Info : my eventtypes are :
host="x.x.x.x" Built outbound TCP connection for outside
host="x.x.x.x" Built outbound UDP connection for outside
and when I search using these I find exactly the data I am looking for
I'm not sure this is going to work for me, because as well as the firewall builds there are also the associated teardowns when the connection timer expires, these are also based on TCP or UDP.
surely if I can search the logs and get the responses I want to see with two different eventtypes (one for TCP and one for UDP) I can display them on the same graph??