Splunk Search

How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address?

mstiger12
New Member

How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address (Where IP address in one trap is data and not in a field)?

My search is as follows:

sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip 
| table ClientIP, user, message_id, host, bytes_in, bytes_out, Total-BW, duration_hour, duration_minute, duration_second, _time 
| localop | iplocation ClientIP 
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt 
| addtotals fieldname=Total-BW Byte

Trap Format:

Oct 13 09:17:03 CiscoASA: %ASA-6-716002: Group  User  IP <111.222.333.444> WebVPN session terminated: Idle Timeout.
Oct 13 09:17:03 CiscoASA: %ASA-4-113019: Group = DTCC-VPN, Username = ABCD, IP = 111.222.333.444, Session disconnected. Session Type: IKEv2, Duration: 0h:48m:16s, Bytes xmt: 13787509, Bytes rcv: 1937242, Reason: Idle Timeout

Current Output :

Client     user   messageID   host       Byte-rcv   Bytexmt   Total-byte   dur-hr   dur-min  dur-sec   time           city      country    region   lat   lon
           ABCD   113019      CiscoASA   1937242    13787509  15787509     0        48       16        2016-10-13...   
x.x.x.444  ABCD   716002      CiscoASA                                                                 2016-10-13     Arlington  US         TX       32.7  97.0
0 Karma

lguinn2
Legend

Try this:

sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip  | rex "IP \<(?<new_ip>111.222.333.444)\>" 
| eval ClientIP = coalesce(ClientIP,src_ip,IP,new_ip)
| stats first(host) as host, first(bytes_in) as bytes_in, first(bytes_out) as bytes_out,
      first(Total-BW) as Total-BW, first(duration_hour) as duration_hour, 
      first(duration_minute) as duration_minute,  first(duration_second) as duration_second,
      first(_time) as event_time by ClientIP user messageID
| localop | iplocation ClientIP 
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt 
| eval event_time=strftime(event_time,"%x %X")
| addtotals fieldname=Total-BW Byte

The stats command picks the first non-null value for each field. If there is more than one value and you want to see them all, use "list" instead of "first" in the stats command.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...