Basically, I need to group my 2 events (built and teardown) in cisco ASA format by 2 fields (event,duration) the event field created will show no. of events combined which would be 2 (machine login and connection break). The duration field will show the total connection duration.
duration = Time for breakdown event - connection built event.
I tried stats and some other transactions but its not working. please advise.
sample data:
1. built event: Aug 7 15:47:23 10.1.1.99 Aug 07 2007 15:47:23 10.1.1.99 : %ASA-6-302013: Built inbound TCP connection 3120967 for outside:64.18.2.105/46303 (64.18.2.105/46303) to inside:192.168.1.150/25 (69.8.158.110/25)
If you have the Splunk Add-on for Cisco ASA installed, you should be able to
index=... sourcetype=...
| transaction maxspan=1h startswith=Cisco_ASA_message_id=302013 endswith=Cisco_ASA_message_id=302014 session_id
If you do not have the Splunk Add-on for Cisco ASA installed - well, I suggest installing it.
Seriously, though - for just your little piece you could probably rex up your own session_id. Here I went crazy with MY*
for that (so it wouldn't conflict with what the Add-on is already doing)
index=... sourcetype=...
| rex "(?<MYmessage_id>\d+):\s+(Built|Teardown)\s+(outbound\s+)?TCP\sconnection\s(?<MYsession_id>\d+)"
| transaction maxspan=1h startswith=MYmessage_id=302013 endswith=MYmessage_id=302014 MYsession_id
Those both give you a free duration
and eventcount
fields. Well, they are not actually free, it costs the price of running it as transaction
instead of stats.
To use stats (broken up a bit for readability)...
index=network sourcetype=cisco:asa
| stats earliest(_time) AS startTime, latest(_time) AS endTime, count(_time) as eventcount,
list(src_ip) as src_ip, list(dest_ip) as dest_ip, list(dest_port) as dest_port BY session_id
| eval duration=endTime - startTime
You can list more things in the stats section or you could use something other than list
and so on, but that should give you the idea. It calculates a duration and an eventcount for you.
Happy Splunking!
-Rich
If you have the Splunk Add-on for Cisco ASA installed, you should be able to
index=... sourcetype=...
| transaction maxspan=1h startswith=Cisco_ASA_message_id=302013 endswith=Cisco_ASA_message_id=302014 session_id
If you do not have the Splunk Add-on for Cisco ASA installed - well, I suggest installing it.
Seriously, though - for just your little piece you could probably rex up your own session_id. Here I went crazy with MY*
for that (so it wouldn't conflict with what the Add-on is already doing)
index=... sourcetype=...
| rex "(?<MYmessage_id>\d+):\s+(Built|Teardown)\s+(outbound\s+)?TCP\sconnection\s(?<MYsession_id>\d+)"
| transaction maxspan=1h startswith=MYmessage_id=302013 endswith=MYmessage_id=302014 MYsession_id
Those both give you a free duration
and eventcount
fields. Well, they are not actually free, it costs the price of running it as transaction
instead of stats.
To use stats (broken up a bit for readability)...
index=network sourcetype=cisco:asa
| stats earliest(_time) AS startTime, latest(_time) AS endTime, count(_time) as eventcount,
list(src_ip) as src_ip, list(dest_ip) as dest_ip, list(dest_port) as dest_port BY session_id
| eval duration=endTime - startTime
You can list more things in the stats section or you could use something other than list
and so on, but that should give you the idea. It calculates a duration and an eventcount for you.
Happy Splunking!
-Rich