I'm very new to splunk, and just started using it. Please forgive my ignorance.
I'm dumping my syslog from a sonicwall. They look something like this.
Oct 2 16:12:06 10.89.55.40 id=firewall sn=xxxxxx time="2014-10-02 16:12:06" fw= pri=1 c=0 m=1198 msg="Initiator from country blocked: Initiator IP:22.214.171.124 Country Name:China" note="Initiator IP:126.96.36.199 Country Name:China" sess=None n=176896 src=188.8.131.52:43642:X1:smtp-newslist-87.coremotivesmarketing.com dst=
I would like to get a report that would list all the country names that are blocked and give me totals/statistics.
Thanks for your help.
first use some regex to get the Country name as field like this:
| rex "Country\sName\:(?<Country>\w+)\""
then use some
statson this new field like this:
| stats count by Country
So, by using something like this search command, you will get a statistical count of all blocked Countries:
sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country
if this matches your needs, you can create this as
search time field extraction. In this case the field will be available without the use of the regex.
hope this helps to get you started ...
Or you extract the ÌP
as field and use the IP field in the|iplocation` command http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Iplocation which will give some more fields that you can use for some fancy Google Maps dashboards 😉
Perfect Thank you for your help! I'm terrible when it comes to this kind of stuff!
I like fancy google maps stuff. Thanks for the link. Hopefully I can make head/tails of it!