Splunk Search

Using an eventtype/tag to create a field based on a sessions direction per CIDR

yacht_rock
Explorer

I want to have a field/something called traffic_direction that will populate with the values "internal", "inbound", or "outbound", based on the source_ip and dest_ip in my data. Right now we're using a combination of event types and tags.

Internal = non-routable to non-routable
Outbound = non-routable to routable
Inbound = routable to non-routable

As an example, we have an event type for inbound...

index=foo (sip!=10.0.0.0/8 sip!=172.16.0.0/12 sip!=192.168.0.0/16) AND (dip=10.0.0.0/8 OR dip=172.16.0.0/12 OR dip=192.168.0.0/16)

And a tag called traffic_direction:inbound

The problem is doing something like | stats count by tag because other apps use tags too, and not all of them are our directions.

What's my best approach to this problem?

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Try

tag=traffic_direction*
| rex field=tag "traffic_direction:(<?traffic_direction>.*)"
| stats count by traffic_direction

This dynamically creates a new field named traffic_direction based on the tag, which you can then use for reporting without getting tangled up in any other tags.

View solution in original post

0 Karma

lguinn2
Legend

Try

tag=traffic_direction*
| rex field=tag "traffic_direction:(<?traffic_direction>.*)"
| stats count by traffic_direction

This dynamically creates a new field named traffic_direction based on the tag, which you can then use for reporting without getting tangled up in any other tags.

View solution in original post

0 Karma

yacht_rock
Explorer

I appreciate the answer. Is there a way I can globally apply this SPL that makes the new traffic_direction field available without having to explicitly include that SPL every time?

0 Karma

lguinn2
Legend

Well, a tag is based on a field-value pair. In the question above, the tag was created against the eventtype.
There is no reason why you couldn't use the eventtype directly - or even the tag.

The problem arises when you want to say "by eventtype" or "by tag" in a command like stats - because there may be lots of tags or eventtypes that you don't care about.

You could do a calculated field:

field: traffic_direction
calculation: case(eventtype=="inbound","inbound",eventtype=="outbound","outbound", etc.

You could make the field calculation anything that makes sense for your environment. The calculated field will always be available (although you will have to set its permissions for other people to use it).

0 Karma