Hello again splunkers!
I have created two new eventtypes for two different cisco firewalls in my setup, one is cisco_fw_dmz and the other cisco_fw_inside.
The match I use to get those eventtypes is something like %ASA <
The problem is that the default eventtype of Cisco Security for Splunk is still there and when I try something like
search eventtype="cisco_fw_dmz" OR eventtype="cisco_fw_inside" | timechart count by eventtype
I get 3 columns, two for each firewall and one that I need to remove with the eventtype cisco_firewall.
How can I narrow my search?
I'm not familiar with the Cisco app, but it seems like you could just add the following eventtype!="cisco_firewall" like this:
search (eventtype="cisco_fw_dmz" OR eventtype="cisco_fw_inside") AND eventtype!="cisco_firewall" | timechart count by eventtype
search eventtype="cisco_fw_dmz" OR eventtype="cisco_fw_inside" | timechart count by eventtype | search eventtype!="cisco_firewall"
The second "search" clause could also be a "where" clause.
If that doesn't work, then you'll probably need to redefine your new eventtypes to be more specific and not capture the events that fall under the "cisco_firewall" eventtype.
If you are using Splunk 5.0 I would suggest not using eventtypes. I would suggest extracting the ip into a field, and then using this field to display what you want; or using a macro (myMacro(2)):
eval $field$=if(like(_raw,"%%%ASA $ip$%"),1)
You can then call the macro passing in a name for the field and the ip you are looking for. Example call:
You now have all events of the cisco_fw_dmz type containing a field with value 1, and similarly for cisco_fw_inside.
This may be happening because you have defined overlapping eventtypes. Thus when you search for results of either type, you get the eventtype field populated with multiple values.
Run your search without the timechart, select the "eventtype" field from the "interesting fields", and see what is being populated. If you are getting multiple values in your eventtype field, you will want to do something like this before the timechart:
...| eval eventtype=case(like(eventtype,"%cisco_fw_dmz%"),"cisco_fw_dmz",like(eventtype,"%cisco_fw_inside%"),"cisco_fw_inside", eventtype) |...
Thanks a lot for answering!
Unfortunately the searchs you gave me don't work, looks like the results are both eventtypes cisco_firewall and (cisco_fw_dmz or cisco_fw_inside) so eliminating the common eventtype returns 0 results.
I need the results to be classified as cisco_firewall for the default dashboards that come with Cisco Security Application to work, so supressing this type is not acceptable (unless there is a workaround, like redefining the cisco_firewall eventtype as the sum of the other two).