i use this log for 24 hours but no result even in last 7 days,
however individual search inbound and outbound separately, there is search result,
is it the problem of alias name for the destination ip and source ip?
should inbound and outbound both exist can be called a successful connection?
if only inbound connection but no outbound connection, can it be a successful connection?
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?<destinationip2>\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\d+.\d+.\d+.\d+){0,3}" | join destinationip2 [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?<destinationip2>\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2
Try a different approach
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" OR "Built outbound" NOT ("8.8.8.8" OR "8.8.4.4") | rex field=_raw "Outside:(?<destinationip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | mvexpand destinationip2 | stats values(sourceip2) as sourceip2 by destinationip2
Try a different approach
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" OR "Built outbound" NOT ("8.8.8.8" OR "8.8.4.4") | rex field=_raw "Outside:(?<destinationip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | mvexpand destinationip2 | stats values(sourceip2) as sourceip2 by destinationip2
this approach search inbound and outbound using or, but not join to find specific session,
i think to use maxspan=30s and join
actually my log are like these
Aug 3 09:06:50 192.168.1.1 %ASA-6-302013: Built inbound TCP connection 429365644 for Outside:126.27.180.187/64765 (180.25.12.177/64765) to Inside:202.171.212.131/80 (230.120.220.141/80)
Aug 3 09:07:11 192.168.1.1 %ASA-6-302013: Built outbound TCP connection 429369569 for Outside:192.168.116.124/1883 (192.168.1.12/1883) to Inside:202.171.212.163/53381 (230.120.220.165/53381)
today i search again, it has result now,
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?\d+.\d+.\d+.\d+){0,3}" | join destinationip2 [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2 | stats values(sourceip2) as sourceip2, count by destinationip2 | sort by count by desc | head 10