Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group search results for large amount of data?

tmuhieddine
New Member
‎10-17-2019 09:36 AM

Hello,

First all, forgive me I am new at using Splunk, hoping someone can help me out. We use our SPLUNK instance to log Firewall traffic, specifically Cisco ASA FWs. We currently have 1 firewall that has a wide open (any to any) FW rule in place. We are looking to build rules and eventually remove that wide open rule.

We searched for traffic for the last 30 day's hitting that rule and it returned millions of events. Obviously most of these are duplicate sessions, my question is that I am looking for a way to group the results per host or modify the search to only return single hosts and not duplicate entry's. I will need to export this data and build some FW policy's, obviously with the number of events this would not be ideal.

Current Search string:
eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="*" 0x7b3c7918 (This Hex number represents the wide open rule)

Example of event returned:
Oct 17 2019 10:04:38 TC-CADC-SFW-5203 : %ASA-5-106100: access-list global_access permitted tcp corp/10.16.46.197(50575) -> WAN/10.48.16.176(9100) hit-cnt 1 first hit [0x7b3c7918, 0x0]
host = TC-CADC-SFW-5203source = udp:8514sourcetype = cisco:asa

All suggestions welcome!

Thanks

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2019 10:53 AM

There are a few ways to group events. The cluster command automatically groups like events. dedup removes events with exact duplicates of a given field or fields. You also use stats to group events by one or more fields.

eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="" 0x7b3c7918 | cluster

eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="" 0x7b3c7918 | dedup _raw

eventtype=cisco-firewall host="TC-CADC-SFW-5203" action="" src_ip="" dest_ip="" src_port="" dest_port="" transport="" service="" 0x7b3c7918 | stats values(*) as * by src_ip
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tmuhieddine
New Member
‎10-17-2019 01:53 PM

Thank you! I will give this a shot and let you know how it goes!

Much appreciated!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top