How to setup a report on all the firewalls reporti...

plantiw · ‎08-06-2018

I am trying to create a report to just show what firewalls are reporting to Splunk.

plantiw · ‎08-06-2018

I am new to splunk and how do I use that

jdhunter · ‎08-06-2018

Type that in your search as is, you just need to know what index the firewall data is being written to and update the portion after index=

Once you get the syntax correct, you can create a report by clicking Save As > Report and schedule it to run daily, weekly, etc.

jdhunter · ‎08-06-2018

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Metadata

| metadata type=hosts index=your_firewall_index

renjith_nair · ‎08-06-2018

Would you mind providing little more information ?
- What's present in your events regarding firewall? or How would you identify that the events are coming from firewall?
- Is the source field contain any information regarding the actual source of information?

---
What goes around comes around. If it helps, hit it with Karma 🙂

plantiw · ‎08-06-2018

8/6/18
9:15:30.000 AM

Aug 6 09:15:30 172.19.76.9 Aug 06 2018 09:15:30: %ASA-6-302016: Teardown UDP connection 1332069924 for DMZ-8:172.19.115.13/53 to Inside:172.19.32.15/58709 duration 0:00:00 bytes 108
host = 172.19.76.9 source = udp:1480 sourcetype = cisco:asa

How to setup a report on all the firewalls reporting to Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation