Splunk Search
Highlighted

How to write a stats search on syslog data to get a report of all country names that are blocked?

Engager

I'm very new to splunk, and just started using it. Please forgive my ignorance.

I'm dumping my syslog from a sonicwall. They look something like this.

Oct  2 16:12:06 10.89.55.40 id=firewall sn=xxxxxx  time="2014-10-02 16:12:06" fw= pri=1 c=0 m=1198 msg="Initiator from country blocked: Initiator IP:209.172.40.87 Country Name:China" note="Initiator IP:209.172.40.87 Country Name:China" sess=None n=176896 src=209.172.40.87:43642:X1:smtp-newslist-87.coremotivesmarketing.com dst=

I would like to get a report that would list all the country names that are blocked and give me totals/statistics.

Thanks for your help.

Highlighted

Re: How to write a stats search on syslog data to get a report of all country names that are blocked?

SplunkTrust
SplunkTrust

Hi smarra,

first use some regex to get the Country name as field like this:

| rex "Country\sName\:(?<Country>\w+)\"" 

then use some statson this new field like this:

| stats count by Country

So, by using something like this search command, you will get a statistical count of all blocked Countries:

sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country

if this matches your needs, you can create this as search time field extraction. In this case the field will be available without the use of the regex.

hope this helps to get you started ...

cheers, MuS

View solution in original post

Highlighted

Re: How to write a stats search on syslog data to get a report of all country names that are blocked?

SplunkTrust
SplunkTrust

Or you extract the ÌPas field and use the IP field in the|iplocation` command http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Iplocation which will give some more fields that you can use for some fancy Google Maps dashboards 😉

Highlighted

Re: How to write a stats search on syslog data to get a report of all country names that are blocked?

Engager

Perfect Thank you for your help! I'm terrible when it comes to this kind of stuff!

I like fancy google maps stuff. Thanks for the link. Hopefully I can make head/tails of it!

0 Karma
Highlighted

Re: How to write a stats search on syslog data to get a report of all country names that are blocked?

SplunkTrust
SplunkTrust

you're welcome. Please mark this as answered, thx 🙂

0 Karma