The log Format is :
Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.732 -0700 barracuda WF ALER SQL_INJECTION_IN_URL 99.99.182.1 44727 99.99.83.74 80 security-policy GLOBAL DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 99.99.83.74/index.html// HTTP "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44727 "-" "-"
The two fields in bold letters are the application_ip and application_port fields respectively. And I used the following search command to extract the two fields together in my search results in the format of application_ip:application:port.
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port
But, Now I need to extract the results by matching with ip_port e.g ip_port =99.99.83.74:80 in the same search query.
How can I do this ?
Please Help...
Thanks....
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | search ip_port=99.99.83.74:80
or
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | where ip_port="99.99.83.74:80"
It's way more efficient to filter in the search directly, though:
sourcetype="firewall" ip=99.99.83.74 port=80 | eval ip_port=application_ip+":"+application_port
Thanks a lot, sdaniels !!!
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | search ip_port=99.99.83.74:80
or
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | where ip_port="99.99.83.74:80"
It's way more efficient to filter in the search directly, though:
sourcetype="firewall" ip=99.99.83.74 port=80 | eval ip_port=application_ip+":"+application_port
Thanks a lot, ziegfried !!!!
You created the new field at search time (ip_port) that you need...now you want to only see results where it matches 99.99.83.74:80? You could add ' | where ip_port=99.99.83.74:80'. Maybe i'm missing something to your question.