Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a stats search on syslog data to get a report of all country names that are blocked?

smarra
Engager
‎10-02-2014 02:23 PM

I'm very new to splunk, and just started using it. Please forgive my ignorance.

I'm dumping my syslog from a sonicwall. They look something like this.

Oct  2 16:12:06 10.89.55.40 id=firewall sn=xxxxxx  time="2014-10-02 16:12:06" fw= pri=1 c=0 m=1198 msg="Initiator from country blocked: Initiator IP:209.172.40.87 Country Name:China" note="Initiator IP:209.172.40.87 Country Name:China" sess=None n=176896 src=209.172.40.87:43642:X1:smtp-newslist-87.coremotivesmarketing.com dst=

I would like to get a report that would list all the country names that are blocked and give me totals/statistics.

Thanks for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-02-2014 11:03 PM

Hi smarra,

first use some regex to get the Country name as field like this:

| rex "Country\sName\:(?<Country>\w+)\""

then use some statson this new field like this:

| stats count by Country

So, by using something like this search command, you will get a statistical count of all blocked Countries:

sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country

if this matches your needs, you can create this as search time field extraction. In this case the field will be available without the use of the regex.

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-02-2014 11:03 PM

Hi smarra,

first use some regex to get the Country name as field like this:

| rex "Country\sName\:(?<Country>\w+)\""

then use some statson this new field like this:

| stats count by Country

So, by using something like this search command, you will get a statistical count of all blocked Countries:

sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country

if this matches your needs, you can create this as search time field extraction. In this case the field will be available without the use of the regex.

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

smarra
Engager
‎10-03-2014 06:24 AM

Perfect Thank you for your help! I'm terrible when it comes to this kind of stuff!

I like fancy google maps stuff. Thanks for the link. Hopefully I can make head/tails of it!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-03-2014 06:32 AM

you're welcome. Please mark this as answered, thx 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-02-2014 11:05 PM

Or you extract the ÌPas field and use the IP field in the|iplocation` command http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Iplocation which will give some more fields that you can use for some fancy Google Maps dashboards 😉

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...