Hi Sean, try the following:
<base search> | rex field=event_desc "to (?<dst_ip_address>\d+\.\d+\.\d+\.\d+)/(?<dst_port>\d+)" | stats count by dst_ip_address, dst_port
If this doesn't work, if you could post an actual event I might be able to fine tune it for you.
Hope this helps 🙂
Got it... I was missing a ? before
Glad I could help 🙂
Hi Sean, try the following:
<base search> | rex field=event_desc "to (?<dst_ip_address>\d+\.\d+\.\d+\.\d+)/(?<dst_port>\d+)" | stats count by dst_ip_address, dst_port
If this doesn't work, if you could post an actual event I might be able to fine tune it for you.
Hope this helps 🙂
Thanks. I removed field=event_desc, and I still get the matching events but no results found.
I have the Firewall app, but it doesn't give me all the info I need.
Ahhh... well in that case get rid of field=event_desc
and you should be good.
Also, seeing as you're dealing with ASA logs, you might find the "Splunk for Cisco Firewalls" and "Cisco Security Suite" apps worth a look.
Thank you for you help. Unfortunately, the results come out empty. Splunk says it finds 1900+ matches though. Here is an actual event.
Sep 23 18:14:15 10.10.10.1 Sep 23 2013 18:16:15: %ASA-6-106015: Deny TCP (no connection) from 15.16.17.8/80 to 12.22.12.1/1398 flags FIN PSH ACK on interface outside