Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eventtype definition in a search

tmarlette
Motivator
‎11-28-2012 09:23 AM

So I have a search that is searching for IP address information from 4 eventtypes.

I am now trying to label these eventtypes, or define them, so upon searching the user will be able to see. "Connected to Host" or "disconnected by host" depending on which eventtype's information is being displayed.

This is my search:

(sourcetype=f5.1 eventtype=dst_clsd_con) OR (sourcetype=f5.1 eventtype=f5fix_accept) OR (sourcetype=f5.1 eventtype=f5fix_deny) OR (sourcetype=f5.1 eventtype=lb_dst_con)

and I'm looking to use a Table to display this information.

Any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-28-2012 04:55 PM

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-28-2012 04:55 PM

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-17-2013 03:28 PM

BTW, if you had a lot of text labels for stuff like this, you could create a lookup table with fields like

eventtype,label
f5fix_deny,"Denied"
etc,etc

and then use a lookup in your search to retrieve the labels (instead of creating the message)

Reply
Solved! Jump to solution

tmarlette
Motivator
‎11-29-2012 06:37 AM

Iguinn,

thank you! I actually tried something similar and it failed, but I bet your way would work. I just decided to clone the event's themselves, and rename them, then just add the 'event' field to the table. It worked like a charm.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...