Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eventtype definition in a search

tmarlette
Motivator
‎11-28-2012 09:23 AM

So I have a search that is searching for IP address information from 4 eventtypes.

I am now trying to label these eventtypes, or define them, so upon searching the user will be able to see. "Connected to Host" or "disconnected by host" depending on which eventtype's information is being displayed.

This is my search:

(sourcetype=f5.1 eventtype=dst_clsd_con) OR (sourcetype=f5.1 eventtype=f5fix_accept) OR (sourcetype=f5.1 eventtype=f5fix_deny) OR (sourcetype=f5.1 eventtype=lb_dst_con)

and I'm looking to use a Table to display this information.

Any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-28-2012 04:55 PM

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-28-2012 04:55 PM

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-17-2013 03:28 PM

BTW, if you had a lot of text labels for stuff like this, you could create a lookup table with fields like

eventtype,label
f5fix_deny,"Denied"
etc,etc

and then use a lookup in your search to retrieve the labels (instead of creating the message)

Reply
Solved! Jump to solution

tmarlette
Motivator
‎11-29-2012 06:37 AM

Iguinn,

thank you! I actually tried something similar and it failed, but I bet your way would work. I just decided to clone the event's themselves, and rename them, then just add the 'event' field to the table. It worked like a charm.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...