Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I combine information from two traps into a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address?
mstiger12
New Member
10-13-2016
12:17 PM
How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address (Where IP address in one trap is data and not in a field)?
My search is as follows:
sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip
| table ClientIP, user, message_id, host, bytes_in, bytes_out, Total-BW, duration_hour, duration_minute, duration_second, _time
| localop | iplocation ClientIP
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt
| addtotals fieldname=Total-BW Byte
Trap Format:
Oct 13 09:17:03 CiscoASA: %ASA-6-716002: Group User IP <111.222.333.444> WebVPN session terminated: Idle Timeout.
Oct 13 09:17:03 CiscoASA: %ASA-4-113019: Group = DTCC-VPN, Username = ABCD, IP = 111.222.333.444, Session disconnected. Session Type: IKEv2, Duration: 0h:48m:16s, Bytes xmt: 13787509, Bytes rcv: 1937242, Reason: Idle Timeout
Current Output :
Client user messageID host Byte-rcv Bytexmt Total-byte dur-hr dur-min dur-sec time city country region lat lon
ABCD 113019 CiscoASA 1937242 13787509 15787509 0 48 16 2016-10-13...
x.x.x.444 ABCD 716002 CiscoASA 2016-10-13 Arlington US TX 32.7 97.0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
10-13-2016
01:43 PM
Try this:
sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip | rex "IP \<(?<new_ip>111.222.333.444)\>"
| eval ClientIP = coalesce(ClientIP,src_ip,IP,new_ip)
| stats first(host) as host, first(bytes_in) as bytes_in, first(bytes_out) as bytes_out,
first(Total-BW) as Total-BW, first(duration_hour) as duration_hour,
first(duration_minute) as duration_minute, first(duration_second) as duration_second,
first(_time) as event_time by ClientIP user messageID
| localop | iplocation ClientIP
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt
| eval event_time=strftime(event_time,"%x %X")
| addtotals fieldname=Total-BW Byte
The stats command picks the first non-null value for each field. If there is more than one value and you want to see them all, use "list" instead of "first" in the stats command.
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
