I'm very new to splunk, and just started using it. Please forgive my ignorance.
I'm dumping my syslog from a sonicwall. They look something like this.
Oct 2 16:12:06 10.89.55.40 id=firewall sn=xxxxxx time="2014-10-02 16:12:06" fw= pri=1 c=0 m=1198 msg="Initiator from country blocked: Initiator IP:209.172.40.87 Country Name:China" note="Initiator IP:209.172.40.87 Country Name:China" sess=None n=176896 src=209.172.40.87:43642:X1:smtp-newslist-87.coremotivesmarketing.com dst=
I would like to get a report that would list all the country names that are blocked and give me totals/statistics.
Thanks for your help.
Hi smarra,
first use some regex to get the Country name as field like this:
| rex "Country\sName\:(?<Country>\w+)\""
then use some stats
on this new field like this:
| stats count by Country
So, by using something like this search command, you will get a statistical count of all blocked Countries:
sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country
if this matches your needs, you can create this as search time field extraction
. In this case the field will be available without the use of the regex.
hope this helps to get you started ...
cheers, MuS
Hi smarra,
first use some regex to get the Country name as field like this:
| rex "Country\sName\:(?<Country>\w+)\""
then use some stats
on this new field like this:
| stats count by Country
So, by using something like this search command, you will get a statistical count of all blocked Countries:
sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country
if this matches your needs, you can create this as search time field extraction
. In this case the field will be available without the use of the regex.
hope this helps to get you started ...
cheers, MuS
Perfect Thank you for your help! I'm terrible when it comes to this kind of stuff!
I like fancy google maps stuff. Thanks for the link. Hopefully I can make head/tails of it!
you're welcome. Please mark this as answered, thx 🙂
Or you extract the ÌPas field and use the IP field in the
|iplocation` command http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Iplocation which will give some more fields that you can use for some fancy Google Maps dashboards 😉