Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group search results for large amount of data?

tmuhieddine
New Member
‎10-17-2019 09:36 AM

Hello,

First all, forgive me I am new at using Splunk, hoping someone can help me out. We use our SPLUNK instance to log Firewall traffic, specifically Cisco ASA FWs. We currently have 1 firewall that has a wide open (any to any) FW rule in place. We are looking to build rules and eventually remove that wide open rule.

We searched for traffic for the last 30 day's hitting that rule and it returned millions of events. Obviously most of these are duplicate sessions, my question is that I am looking for a way to group the results per host or modify the search to only return single hosts and not duplicate entry's. I will need to export this data and build some FW policy's, obviously with the number of events this would not be ideal.

Current Search string:
eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="*" 0x7b3c7918 (This Hex number represents the wide open rule)

Example of event returned:
Oct 17 2019 10:04:38 TC-CADC-SFW-5203 : %ASA-5-106100: access-list global_access permitted tcp corp/10.16.46.197(50575) -> WAN/10.48.16.176(9100) hit-cnt 1 first hit [0x7b3c7918, 0x0]
host = TC-CADC-SFW-5203source = udp:8514sourcetype = cisco:asa

All suggestions welcome!

Thanks

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2019 10:53 AM

There are a few ways to group events. The cluster command automatically groups like events. dedup removes events with exact duplicates of a given field or fields. You also use stats to group events by one or more fields.

eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="" 0x7b3c7918 | cluster

eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="" 0x7b3c7918 | dedup _raw

eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="" 0x7b3c7918 | stats values(*) as * by src_ip
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tmuhieddine
New Member
‎10-17-2019 01:53 PM

Thank you! I will give this a shot and let you know how it goes!

Much appreciated!!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...