Hi,
I'm trying to get my Firewall logs to combine the total number of traffic generated by specific IP addresses and aggregate the data (working) but also to add an extra field called "Floor" to identify where the IP range is (Not Working)
The following command shows no results.
sourcetype=JuniperFW
| where cidrmatch("10.0.1.0/24", src)| eval Floor=if(cidrmatch("10.0.1.0/24", src), "1", "Unknown")
| where cidrmatch("10.0.2.0/24", src)| eval Floor=if(cidrmatch("10.0.2.0/24", src), "2", "Unknown")
| where cidrmatch("10.0.3.0/24", src)| eval Floor=if(cidrmatch("10.0.3.0/24", src), "3", "Unknown")
| where cidrmatch("10.0.4.0/24", src)| eval Floor=if(cidrmatch("10.0.4.0/24", src), "4", "Unknown")
| where cidrmatch("10.0.5.0/24", src)| eval Floor=if(cidrmatch("10.0.5.0/24", src), "5", "Unknown")
| where cidrmatch("10.0.6.0/24", src)| eval Floor=if(cidrmatch("10.0.6.0/24", src), "6", "Unknown")
| stats sum(sent) AS TotalSent, sum(rcvd) AS TotalRcvd by src
| eval TotalSentMB=round(TotalSent/1024/1024,2) | eval TotalRcvdMB=round(TotalRcvd/1024/1024,2) | eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2) | eval TotalGB=round((TotalSent+TotalRcvd)/1024/1024/1024,2)
| table src Floor TotalSentMB TotalRcvdMB TotalMB TotalGB
If i do the command without the evals then it works but will not show a floor number. What am I missing here?
Thanks!
Ken
... View more