Splunk Search

How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address?

mstiger12
New Member

How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address (Where IP address in one trap is data and not in a field)?

My search is as follows:

sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip 
| table ClientIP, user, message_id, host, bytes_in, bytes_out, Total-BW, duration_hour, duration_minute, duration_second, _time 
| localop | iplocation ClientIP 
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt 
| addtotals fieldname=Total-BW Byte

Trap Format:

Oct 13 09:17:03 CiscoASA: %ASA-6-716002: Group  User  IP <111.222.333.444> WebVPN session terminated: Idle Timeout.
Oct 13 09:17:03 CiscoASA: %ASA-4-113019: Group = DTCC-VPN, Username = ABCD, IP = 111.222.333.444, Session disconnected. Session Type: IKEv2, Duration: 0h:48m:16s, Bytes xmt: 13787509, Bytes rcv: 1937242, Reason: Idle Timeout

Current Output :

Client     user   messageID   host       Byte-rcv   Bytexmt   Total-byte   dur-hr   dur-min  dur-sec   time           city      country    region   lat   lon
           ABCD   113019      CiscoASA   1937242    13787509  15787509     0        48       16        2016-10-13...   
x.x.x.444  ABCD   716002      CiscoASA                                                                 2016-10-13     Arlington  US         TX       32.7  97.0
0 Karma

lguinn2
Legend

Try this:

sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip  | rex "IP \<(?<new_ip>111.222.333.444)\>" 
| eval ClientIP = coalesce(ClientIP,src_ip,IP,new_ip)
| stats first(host) as host, first(bytes_in) as bytes_in, first(bytes_out) as bytes_out,
      first(Total-BW) as Total-BW, first(duration_hour) as duration_hour, 
      first(duration_minute) as duration_minute,  first(duration_second) as duration_second,
      first(_time) as event_time by ClientIP user messageID
| localop | iplocation ClientIP 
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt 
| eval event_time=strftime(event_time,"%x %X")
| addtotals fieldname=Total-BW Byte

The stats command picks the first non-null value for each field. If there is more than one value and you want to see them all, use "list" instead of "first" in the stats command.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...