Splunk Search

How to search ASA Built/Allowed events and the following Teardown event with the same source and destination IP?

CYBR_AH
Explorer

Hi everyone,

I'm trying to think of a way where I can find a built/allowed ASA event and the following teardown event (with same source IP and destination IP). My end goal is to be able to find any events that may just have a built/allowed and is missing the teardown event. Any help would be awesome!

0 Karma
1 Solution

renjith_nair
Legend

If you just want to see the missing the teardown is to look for the events which has only starting part of event.

Try something like this

your search ( event="allowed" OR event="teardown") |stats first(event) as latest_event by ip,other fields | search latest_event="allowed"

Not sure how your events look like and their field names but try the above dummy search with your original fields. This will extract all the latest event per IP and then the events which has only starting but no ending

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

If you just want to see the missing the teardown is to look for the events which has only starting part of event.

Try something like this

your search ( event="allowed" OR event="teardown") |stats first(event) as latest_event by ip,other fields | search latest_event="allowed"

Not sure how your events look like and their field names but try the above dummy search with your original fields. This will extract all the latest event per IP and then the events which has only starting but no ending

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...