Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eventtype definition in a search

tmarlette
Motivator
‎11-28-2012 09:23 AM

So I have a search that is searching for IP address information from 4 eventtypes.

I am now trying to label these eventtypes, or define them, so upon searching the user will be able to see. "Connected to Host" or "disconnected by host" depending on which eventtype's information is being displayed.

This is my search:

(sourcetype=f5.1 eventtype=dst_clsd_con) OR (sourcetype=f5.1 eventtype=f5fix_accept) OR (sourcetype=f5.1 eventtype=f5fix_deny) OR (sourcetype=f5.1 eventtype=lb_dst_con)

and I'm looking to use a Table to display this information.

Any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-28-2012 04:55 PM

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-28-2012 04:55 PM

First, I would simplify the search to

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)

What exactly do you want to display in the table? Assuming that you have a field called "ip", you could do something like this:

sourcetype=f5.1 (eventtype=dst_clsd_con OR eventtype=f5fix_accept OR eventtype=f5fix_deny OR eventtype=lb_dst_con)
| eval message = "Unknown"
| eval message = case (eventtype=="dst_clsd_con", "Connected to Host",
                       eventtype=="f5fix_accept", "Accepted",
                       eventtype=="f5fix_deny", "Denied",
                       eventtype=="lb_dst_con", "Disconnected by Host")
| table _time ip message eventtype
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-17-2013 03:28 PM

BTW, if you had a lot of text labels for stuff like this, you could create a lookup table with fields like

eventtype,label
f5fix_deny,"Denied"
etc,etc

and then use a lookup in your search to retrieve the labels (instead of creating the message)

Reply
Solved! Jump to solution

tmarlette
Motivator
‎11-29-2012 06:37 AM

Iguinn,

thank you! I actually tried something similar and it failed, but I bet your way would work. I just decided to clone the event's themselves, and rename them, then just add the 'event' field to the table. It worked like a charm.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...