Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Firewall log

hafizuddin
Path Finder
‎11-26-2017 06:19 PM

Hi, im newbie for splunk enterprise

I had a log file for windows firewall that I already point to Splunk via universal forwarder and splunk read as per below:

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 58.139.24.118 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 114.133.193.1 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall**

I just want to create a table form this log where I need to split variable like source IP, destination IP and time. I had try to used pivot function but the variable it not shown for those i need.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎11-27-2017 12:01 PM

Have you done any field extractions or are you using a Technology Addon (TA) that is giving you any field extractions? If not, that is your first problem. Once you have the field extractions, you can simply display a table of the data with:

<your_base_search> | table *

or you can define which of the fields you want displayed in your table with:

<your_base_search> | table field, field2, field3

But you do have to have fields being extracted for either of these to do anything useful. Here is a useful document to get you started in creating your own automatic field extraction:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply

HiroshiSatoh
Champion
‎11-26-2017 11:09 PM

If the field is not displayed only for a specific user, I think that it is a matter of authority. Please check the permission setting of field extraction.

Fields » Field extractions
OR
Fields » Field transformations

0 Karma
Reply

HiroshiSatoh
Champion
‎11-26-2017 07:13 PM

What can not be displayed?
Is it a field? Is it a pivot table?

0 Karma
Reply

hafizuddin
Path Finder
‎11-26-2017 08:10 PM

it is a Field...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...