Re: How do i group the log for ip, or type?

graidelak · ‎09-17-2012

Hi I want to know how can i group my log from my firewall by source ip, or dest_ip or type, because i want to make a report that show me the attack or events by groups.

Maybe is a stupid question but im just newbie using splunk and i want to learn how can i do that.

Thank you

rogerdpack · ‎09-17-2012

query | chart by host

by important part being "by host"

graidelak · ‎09-17-2012

Im sorry if you couldn't understand me

I mean I want to do a report that tell me who attack me and which ip, things like that, but I have no idea how to group these events.

Ayn · ‎09-17-2012

You'd need to create fields out of your logs (covered in the tutorial, tl;dr: use the interactive field extractor in splunkweb), and then grab stats on the fields you mention (also covered in the tutorial). If you want to create a search form that only requires you to input an IP number and automatically get charts, tables etc, have a look at the "Build forms" section of the developer manual).

graidelak · ‎09-17-2012

Yeah I did but I can't group those events. Let me see if I can explain better.

I want to see my firewall log (watchguard) and make some search by src_ip or dest_ip and then a report to see how many deny, attack, or error i had.

I saw many apps for firewall but i didn't see one for watchguard firebox

Ayn · ‎09-17-2012

Did you take the Splunk tutorial? It's a great way to get past the "I'm very new to Splunk" phase.

melting · ‎09-17-2012

I am not sure I understand the question

If you want statistics then take a look here:

If you want these combined together, perhaps the transaction search cmd

How do i group the log for ip, or type?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector