I have an event that I want to extract the IP Address and Port number.
Mar 6 13:59:59 192.168.140.215 %ASA-4-106023: Deny udp src outside:xxx.xxx.xxx.xxx/xxxxx dst inside:xxx.xxx.xxx.xxx/xxxxx by access-group "outside_access_in" [0x0, 0x0]
The following search works and produces results.
(sourcetype=cisco_asa AND Deny NOT (search)) | rex field=Outside "outside:(?P
But this search works but does not produce any results.
(sourcetype=cisco_asa AND Deny NOT (search)) | rex field=Outside "outside:(?P
I have tried many variations to extract the OutsidePort with no success. What am I doing wrong?
Thank you
Randy
This works for me:
... | rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by outside_port
I think the only thing you forgot is the "/" between the extraction of "outsideip" and "outsideport", which martin_mueller has in his extraction...
This works for me:
... | rex "outside:(?<outside_ip>[^/]+)/(?<outside_port>\S+)" | stats count by outside_port
I added the missing / between the round brackets to what I had but I still had problems. I kept fiddling with what I had unsuccessfully, but cutting & pasting exactly what you have does the job. Thank you.