Hi there,
i try to buildup a firewall report:
"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"
this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like
HOST | SRC | DEST | SRC_PORT | DEST_PORT | COUNT
that would give a nice overview.
The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?
sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port
The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?
sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port
thank you. yes ports change a lot. i think its much smarter to display the zones 🙂
Don't forget to click Accept
to close the question.