×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bhymel5
Engager
Member since: ‎08-05-2014
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎08-05-2014
View All

Re: Multiple Firewall Denies followed by an allow ...

by Splunk Employee in Splunk Search
‎12-24-2015 08:21 PM
4 Karma
‎12-24-2015 08:21 PM
4 Karma
Based on the Cisco ASA TA, and eventgen, you could start here as a base: index=test sourcetype="cisco:asa" ( action=blocked OR action=allowed ) | transaction dest maxspan=10 startswith="action=allowed" endswith="action=blocked" | stats count by dest | where count > 50 A few things to note, you want to reverse dest to src and the startswith and endswith. (I was limited by what eventgen is generating.) And of course update your index and sourcetypes... It's also worth noting that firewall logs are generally extremely high velocity. Meaning, that these usually are millions of events per minute. This means transaction over 10 minutes is extremely inefficient and will take a long time. There are probably better approaches to this, such as doing a reducing search with stats, and dumping that to a summary index, and then run the transaction against that summarized data. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All