Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Firewall log

hafizuddin
Path Finder
‎11-26-2017 06:19 PM

Hi, im newbie for splunk enterprise

I had a log file for windows firewall that I already point to Splunk via universal forwarder and splunk read as per below:

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 58.139.24.118 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 114.133.193.1 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall**

I just want to create a table form this log where I need to split variable like source IP, destination IP and time. I had try to used pivot function but the variable it not shown for those i need.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎11-27-2017 12:01 PM

Have you done any field extractions or are you using a Technology Addon (TA) that is giving you any field extractions? If not, that is your first problem. Once you have the field extractions, you can simply display a table of the data with:

<your_base_search> | table *

or you can define which of the fields you want displayed in your table with:

<your_base_search> | table field, field2, field3

But you do have to have fields being extracted for either of these to do anything useful. Here is a useful document to get you started in creating your own automatic field extraction:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply

HiroshiSatoh
Champion
‎11-26-2017 11:09 PM

If the field is not displayed only for a specific user, I think that it is a matter of authority. Please check the permission setting of field extraction.

Fields » Field extractions
OR
Fields » Field transformations

0 Karma
Reply

HiroshiSatoh
Champion
‎11-26-2017 07:13 PM

What can not be displayed?
Is it a field? Is it a pivot table?

0 Karma
Reply

hafizuddin
Path Finder
‎11-26-2017 08:10 PM

it is a Field...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...