- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: eventtype definition in a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have a search that is searching for IP address information from 4 eventtypes.
I am now trying to label these eventtypes, or define them, so upon searching the user will be able to see. "Connected to Host" or "disconnected by host" depending on which eventtype's information is being displayed.
This is my search:
(sourcetype=f5.1 eventtype=dst_clsd_con) OR (sourcetype=f5.1 eventtype=f5fix_accept) OR (sourcetype=f5.1 eventtype=f5fix_deny) OR (sourcetype=f5.1 eventtype=lb_dst_con)
and I'm looking to use a Table to display this information.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I would simplify the search to
sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:
sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
eventtype=="f5fix_accept", "Accepted",
eventtype=="f5fix_deny", "Denied",
eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I would simplify the search to
sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:
sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
eventtype=="f5fix_accept", "Accepted",
eventtype=="f5fix_deny", "Denied",
eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, if you had a lot of text labels for stuff like this, you could create a lookup table with fields like
eventtype,label
f5fix_deny,"Denied"
etc,etc
and then use a lookup in your search to retrieve the labels (instead of creating the message)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Iguinn,
thank you! I actually tried something similar and it failed, but I bet your way would work. I just decided to clone the event's themselves, and rename them, then just add the 'event' field to the table. It worked like a charm.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
