You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho. Something like this in your local/props.conf [host::x.y.z.b] EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (? [a-zA-Z]+) (? d+.d+.d+.d+)((? d+)) -> (? d+.d+.d+.d+)((? d+))" You'll need to customize the extracted field names to match. ... View more

This app has gone mysteriously missing recently 😞 ... View more

What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs. host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (? [a-zA-Z]+) (? \d+.\d+.\d+.\d+)((? \d+)) -> (? \d+.\d+.\d+.\d+)((? \d+))" | chart sparkline count by src_address host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (? [a-zA-Z]+) (? \d+.\d+.\d+.\d+)((? \d+)) -> (? \d+.\d+.\d+.\d+)((? \d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count Just make the field names match what it is expecting, and the type to match, and you'll be set. ... View more