Cisco ASA Deny Stats

mitcht · ‎05-06-2024

I want to build a query that pulls Cisco ASA events based on a particular syslog message ID which shows denied traffic. I dedup the information for events that have the same source ip, destination ip, destination port and action.

It seems to work well however now I would like to have a count added for each time that unique combination is seen.

Query is:

index=cisco sourctype=cisco:asa message_id=XXXXXX |
dedup host, src_ip, dest_ip, dest_port, action |
table host, src_ip, dest_ip, dest_port, action |
sort host, src_ip, dest_ip, dest_port, action

That query gives me a table that appears to be dedup'ed however I would like to add a column that shows how many times each entry is seen.

richgalloway · ‎05-06-2024

To get a count, replace the dedup command with stats. Since the stats command sorts it results, you don't need the separate sort command.

index=cisco sourctype=cisco:asa message_id=XXXXXX 
| stats count by host, src_ip, dest_ip, dest_port, action 
| table host, src_ip, dest_ip, dest_port, action count

---
If this reply helps you, Karma would be appreciated.

Cisco ASA Deny Stats

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

Cisco ASA Deny Stats

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...