How to search my Sonicwall logs for multiple value...

Rockn · ‎07-29-2016

Very much a newb looking to get some basic information from my Sonicwall logs. Setting up the search using multiple criteria for the same field in the log file is what I am asking. I have a firewall event m=1079 (failed SSL VPN login) and m=1080 (successful). How does one string criteria with an OR?

Is it also possible to limit what is displayed in the search as well as group and count for output to dashboards?

Any good reading material would also be cool.

Thanks

somesoni2 · ‎07-29-2016

For reading material, Splunk docs is a good place to start
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchTutorial/WelcometotheSearchTutorial

Videos
Basic searching
http://www.splunk.com/view/SP-CAAAGW8
https://www.youtube.com/watch?v=nhq9gjVkovU

To add one or more criteria in your search (using boolean functions), try likes this
Based on fields

index=foo sourcetype=bar (m=1079 OR m=1080)

String search

index=foo sourcetype=bar ("failed SSL VPN login" OR "successfull")

pradeepkumarg · ‎07-29-2016

If you have the field m already extracted then you can do following

 m=1079 OR m=1080

You can limit the data using head or tail commands. Below search will return first 10 occurences for m=1079

m=1079 | head 10

You can group the results by using stats

m=1079 OR m=1080 | stats count by m

Documentation here http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchTutorial/Aboutthesearchapp

How to search my Sonicwall logs for multiple values for the same field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases