Hello. I'm completely new to splunking and a novice with this firewall.
I'm pretty much trying to monitor bandwidth from a device in my network. I want a nice dashboard to show me this.
So the search that i am using is basically starts like
dstname=10.1.11.103 OR src=10.1.11.103
But not sure what goes next. I'm super clueless and i apologize for this thanks.
Here is a log entry, ip's ommited:
Mar 16 14:36:09 10.1.11.1 Mar 16 14:36:09 id=firewall time="2012-03-16 18:36:09" fw="00000000" pri=5 msg="Accept inbound, NAT tunnel" cat_action=pass dstname=10.1.11.103 proto=https/tcp src=10.1.11.102 srcport=4023 nat=208.x.x.134 natport=443 dnat=10.1.11.1 dnatport=4023 dst=10.1.11.103 dstport=443 rule=3 duration=134 sent=1531 rcvd=12945 pkts_sent=11 pkts_rcvd=14
I'm wondering if this syntax is correct:
dstname=10.1.11.103 OR src=10.1.11.103 | timechart sum(rcvd)
or even
dstname=10.1.11.103 OR src=10.1.11.103 |
eval tbytes= rcvd + sent |
timechart sum(tbytes)
yes, that is exactly right. you can also do: ... | timechart sum(rcvd), sum(sent)
.