- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get results by matching value with a new fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log Format is :
Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.732 -0700 barracuda WF ALER SQL_INJECTION_IN_URL 99.99.182.1 44727 99.99.83.74 80 security-policy GLOBAL DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 99.99.83.74/index.html// HTTP "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44727 "-" "-"
The two fields in bold letters are the application_ip and application_port fields respectively. And I used the following search command to extract the two fields together in my search results in the format of application_ip:application:port.
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port
But, Now I need to extract the results by matching with ip_port e.g ip_port =99.99.83.74:80 in the same search query.
How can I do this ?
Please Help...
Thanks....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | search ip_port=99.99.83.74:80
or
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | where ip_port="99.99.83.74:80"
It's way more efficient to filter in the search directly, though:
sourcetype="firewall" ip=99.99.83.74 port=80 | eval ip_port=application_ip+":"+application_port
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, sdaniels !!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | search ip_port=99.99.83.74:80
or
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port | where ip_port="99.99.83.74:80"
It's way more efficient to filter in the search directly, though:
sourcetype="firewall" ip=99.99.83.74 port=80 | eval ip_port=application_ip+":"+application_port
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, ziegfried !!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You created the new field at search time (ip_port) that you need...now you want to only see results where it matches 99.99.83.74:80? You could add ' | where ip_port=99.99.83.74:80'. Maybe i'm missing something to your question.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
