Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I combine information from two traps into a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address?
mstiger12
New Member
10-13-2016
12:17 PM
How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address (Where IP address in one trap is data and not in a field)?
My search is as follows:
sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip
| table ClientIP, user, message_id, host, bytes_in, bytes_out, Total-BW, duration_hour, duration_minute, duration_second, _time
| localop | iplocation ClientIP
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt
| addtotals fieldname=Total-BW Byte
Trap Format:
Oct 13 09:17:03 CiscoASA: %ASA-6-716002: Group User IP <111.222.333.444> WebVPN session terminated: Idle Timeout.
Oct 13 09:17:03 CiscoASA: %ASA-4-113019: Group = DTCC-VPN, Username = ABCD, IP = 111.222.333.444, Session disconnected. Session Type: IKEv2, Duration: 0h:48m:16s, Bytes xmt: 13787509, Bytes rcv: 1937242, Reason: Idle Timeout
Current Output :
Client user messageID host Byte-rcv Bytexmt Total-byte dur-hr dur-min dur-sec time city country region lat lon
ABCD 113019 CiscoASA 1937242 13787509 15787509 0 48 16 2016-10-13...
x.x.x.444 ABCD 716002 CiscoASA 2016-10-13 Arlington US TX 32.7 97.0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
10-13-2016
01:43 PM
Try this:
sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip | rex "IP \<(?<new_ip>111.222.333.444)\>"
| eval ClientIP = coalesce(ClientIP,src_ip,IP,new_ip)
| stats first(host) as host, first(bytes_in) as bytes_in, first(bytes_out) as bytes_out,
first(Total-BW) as Total-BW, first(duration_hour) as duration_hour,
first(duration_minute) as duration_minute, first(duration_second) as duration_second,
first(_time) as event_time by ClientIP user messageID
| localop | iplocation ClientIP
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt
| eval event_time=strftime(event_time,"%x %X")
| addtotals fieldname=Total-BW Byte
The stats command picks the first non-null value for each field. If there is more than one value and you want to see them all, use "list" instead of "first" in the stats command.
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
