Dec 5 18:04:51 192.168.69.50 pfsp: Host Detection alert #22049413, start 2017-12-06 00:03:45 GMT, duration 66, direction incoming, host 71.92.104.13, signatures (ICMP, IP Fragmentation, Total Traffic, UDP, DNS Amplification), impact 4.00 Gbps/386.20 Kpps, importance 2, managed_objects ("Tonga"), (parent managed object "nil")
Dec 5 16:19:51 192.168.69.50 pfsp: Host Detection alert #22049331, start 2017-12-05 22:16:45 GMT, duration 186, direction incoming, host 24.177.66.30, signatures (ICMP, IP Fragmentation, TCP NULL, TCP SYN, TCP RST, Total Traffic, UDP), impact 310.64 Mbps/104.45 Kpps, importance 2, managed_objects ("Tonga"), (parent managed object "nil")
Please help me parse this log event. For some reason, it has been parsed as a single field in my Splunk instance. On top of it all, I do not have access to .prof files to change the field extraction criteria hence need to utilize Splunk commands to properly parse them to create a table.
Please help me parse the log as following>> _time: Dec 5 18:04:51, collector IP_address: 192.168.69.50, Type: Host Detection, Alert_id: 22049413, start_time: 2017-12-06 00:03:45 GMT, duration: 66, direction: incoming, host: 71.92.104.13, signatures: ICMP, IP Fragmentation, Total Traffic, UDP, DNS Amplification, impact: 4.00 Gbps/386.20 Kpps, importance: 2, managed_objects: Tonga, parent managed object: nil.
I have been trying to use Rex commands but since I am not an expert at it. Its not working out so much. Colleague suggested mvindex, I am trying to parse it using that but I hope I can get some help from awesome Splunk community.
... View more