I want to have a field/something called traffic_direction that will populate with the values "internal", "inbound", or "outbound", based on the source_ip and dest_ip in my data. Right now we're using a combination of event types and tags.
Internal = non-routable to non-routable
Outbound = non-routable to routable
Inbound = routable to non-routable
As an example, we have an event type for inbound...
index=foo (sip!=10.0.0.0/8 sip!=172.16.0.0/12 sip!=192.168.0.0/16) AND (dip=10.0.0.0/8 OR dip=172.16.0.0/12 OR dip=192.168.0.0/16)
And a tag called traffic_direction:inbound
The problem is doing something like | stats count by tag
because other apps use tags too, and not all of them are our directions.
What's my best approach to this problem?
Try
tag=traffic_direction*
| rex field=tag "traffic_direction:(<?traffic_direction>.*)"
| stats count by traffic_direction
This dynamically creates a new field named traffic_direction
based on the tag, which you can then use for reporting without getting tangled up in any other tags.
Try
tag=traffic_direction*
| rex field=tag "traffic_direction:(<?traffic_direction>.*)"
| stats count by traffic_direction
This dynamically creates a new field named traffic_direction
based on the tag, which you can then use for reporting without getting tangled up in any other tags.
I appreciate the answer. Is there a way I can globally apply this SPL that makes the new traffic_direction field available without having to explicitly include that SPL every time?
Well, a tag is based on a field-value pair. In the question above, the tag was created against the eventtype.
There is no reason why you couldn't use the eventtype directly - or even the tag.
The problem arises when you want to say "by eventtype" or "by tag" in a command like stats - because there may be lots of tags or eventtypes that you don't care about.
You could do a calculated field:
field: traffic_direction
calculation: case(eventtype=="inbound","inbound",eventtype=="outbound","outbound", etc.
You could make the field calculation anything that makes sense for your environment. The calculated field will always be available (although you will have to set its permissions for other people to use it).