Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count equal sources

saschar
New Member
‎05-28-2013 12:40 AM

Hello,
I want to count the denials from the same source ip. How can I do this?
The Log looks like this:

May 28 07:22:30 aaa.aaa.aaa.aaa %ASA-4-106023: Deny icmp src MAN-TRANS-PIX:bbb.bbb.bbb.bbb dst MAN-PRIV-INFRA-DMZ1:dns1.man.internal (type 8, code 0) by access-group "MAN-TRANS-PIX_access_in" [0xe068225a, 0x0]

Thanks for help.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-28-2013 12:46 AM

If you're looking for a specific source ip you can do this:

search for that source ip and denial events | stats count

If you're looking for a general count by source ip you can do this:

search for denial events | stats count by src_ip

Alternatively, this:

search for denial events | top src_ip

Other than that you may need to clarify your goal.

View solution in original post

Reply
Solved! Jump to solution

saschar
New Member
‎05-28-2013 01:22 AM

Now I've tried the search on another server with the same asa-logs. On this my search and counting works fine but on the production-server I get no results...

0 Karma
Reply
Solved! Jump to solution

saschar
New Member
‎05-28-2013 12:58 AM

I am looking for a general count to get the sources which produces the most noise.
The count by src_ip producing no results. I think it's because the "MAN-TRANS-PIX:" in front of the IP. How can can I get these IP's out of this?

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-28-2013 12:46 AM

If you're looking for a specific source ip you can do this:

search for that source ip and denial events | stats count

If you're looking for a general count by source ip you can do this:

search for denial events | stats count by src_ip

Alternatively, this:

search for denial events | top src_ip

Other than that you may need to clarify your goal.

Reply
Solved! Jump to solution

BobM
Builder
‎05-29-2013 02:06 AM

If you do not have that extraction, you are probably missing other usefull information. I suggest you install the free "Technology Add on for Cisco ASA" to all your indexers and search heads.

http://splunk-base.splunk.com/apps/58196/technology-add-on-for-cisco-asa

Reply
Solved! Jump to solution

saschar
New Member
‎05-29-2013 12:52 AM

Thanks.
That was the problem.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-28-2013 02:54 AM

If you don't yet have the source ip extracted into a field you can do something like this to get you started quickly:

... | rex "MAN-TRANS-PIX:(?<src_ip>(\d{1,3}\.){3}\d{1,3})" | ...
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...