Knowledge Management

eventtype definition in a search

Motivator

So I have a search that is searching for IP address information from 4 eventtypes.

I am now trying to label these eventtypes, or define them, so upon searching the user will be able to see. "Connected to Host" or "disconnected by host" depending on which eventtype's information is being displayed.

This is my search:

(sourcetype=f5.1 eventtype=dst_clsd_con) OR (sourcetype=f5.1 eventtype=f5fix_accept) OR (sourcetype=f5.1 eventtype=f5fix_deny) OR (sourcetype=f5.1 eventtype=lb_dst_con)

and I'm looking to use a Table to display this information.

Any ideas?

Tags (1)
0 Karma
1 Solution

Legend

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype

View solution in original post

Legend

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype

View solution in original post

Legend

BTW, if you had a lot of text labels for stuff like this, you could create a lookup table with fields like

eventtype,label
f5fix_deny,"Denied"
etc,etc

and then use a lookup in your search to retrieve the labels (instead of creating the message)

Motivator

Iguinn,

thank you! I actually tried something similar and it failed, but I bet your way would work. I just decided to clone the event's themselves, and rename them, then just add the 'event' field to the table. It worked like a charm.

0 Karma