Splunk Search

How to write a stats search on syslog data to get a report of all country names that are blocked?

smarra
Engager

I'm very new to splunk, and just started using it. Please forgive my ignorance.

I'm dumping my syslog from a sonicwall. They look something like this.

Oct  2 16:12:06 10.89.55.40 id=firewall sn=xxxxxx  time="2014-10-02 16:12:06" fw= pri=1 c=0 m=1198 msg="Initiator from country blocked: Initiator IP:209.172.40.87 Country Name:China" note="Initiator IP:209.172.40.87 Country Name:China" sess=None n=176896 src=209.172.40.87:43642:X1:smtp-newslist-87.coremotivesmarketing.com dst=

I would like to get a report that would list all the country names that are blocked and give me totals/statistics.

Thanks for your help.

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi smarra,

first use some regex to get the Country name as field like this:

| rex "Country\sName\:(?<Country>\w+)\"" 

then use some statson this new field like this:

| stats count by Country

So, by using something like this search command, you will get a statistical count of all blocked Countries:

sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country

if this matches your needs, you can create this as search time field extraction. In this case the field will be available without the use of the regex.

hope this helps to get you started ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi smarra,

first use some regex to get the Country name as field like this:

| rex "Country\sName\:(?<Country>\w+)\"" 

then use some statson this new field like this:

| stats count by Country

So, by using something like this search command, you will get a statistical count of all blocked Countries:

sourcetype=syslog id=firewall msg="*blocked*" | rex "Country\sName\:(?<Country>\w+)\"" | stats count by Country

if this matches your needs, you can create this as search time field extraction. In this case the field will be available without the use of the regex.

hope this helps to get you started ...

cheers, MuS

smarra
Engager

Perfect Thank you for your help! I'm terrible when it comes to this kind of stuff!

I like fancy google maps stuff. Thanks for the link. Hopefully I can make head/tails of it!

0 Karma

MuS
SplunkTrust
SplunkTrust

you're welcome. Please mark this as answered, thx 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

Or you extract the ÌPas field and use the IP field in the|iplocation` command http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Iplocation which will give some more fields that you can use for some fancy Google Maps dashboards 😉

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...