I used the email to ticket part of zendesk. Then at the ticket level I put enough info in the subject line, of the alert, to easily filter to the right ticketing group in zendesk. to get info from the search into the ticket, you use: $result.<fieldname_you want in subject line>$ examples $result.src_ip$ or $result.host$
... View more
What metrics log show the events coming in? Metrics on forwarder, or metrics on indexer? Or do you have a single instance setup?
Have you tried searching over 'all time' in case there is some issue with the timestamp/timezone recognition?
... View more
Please try this:
index="*-network" (sourcetype="cisco:asa" OR sourcetype="routers") user="user*" ("session terminated" OR "session started")
| rex field=_raw ".*(?<sessionState>(session\s*(terminated|started))).*"
| table _time, user, src_ip, sessionState
See the extraction here
If you want to make it case insensitive like the search bar will do try (?i) in rex :
...| rex field=_raw ".*(?<sessionState>(?i)(session\s*(terminated|started))).*"| ...
... View more