Hi everyone,
I would like to know, how could I extract the source IP address?
I need a report from sources IP to "Accessed URL" (top 100) in Cisco ASA.
In the example below, the source IP is 10.2.22.65.
Jul 13 14:22:03 10.2.1.216 %ASA-5-304001: 10.2.22.65 Accessed URL 82.165.39.131:http://www.collajove.cat/img/content_bg.jpg
Best Regards
Antonio
Regex to the rescue! Try this:
sourcetype=your-sourcetype | rex "(?<src_ip>\d+.\d+.\d+.\d+) Accessed URL"
Hope the helps 🙂
Hi kenth,
It´s other good option, but I don´t manage Splunk´s appliances and is better for me to use only queries.
Best Regards
Or you could just download my Splunk for Cisco ASA app which has these extractions and also dashboards for them 🙂
Thank you so much R.Turk,
Regex is working fine 🙂
Have a good day
Regex to the rescue! Try this:
sourcetype=your-sourcetype | rex "(?<src_ip>\d+.\d+.\d+.\d+) Accessed URL"
Hope the helps 🙂