Hi I want to know how can i group my log from my firewall by source ip, or dest_ip or type, because i want to make a report that show me the attack or events by groups.
Maybe is a stupid question but im just newbie using splunk and i want to learn how can i do that.
Thank you
query | chart by host
by important part being "by host"
Im sorry if you couldn't understand me
I mean I want to do a report that tell me who attack me and which ip, things like that, but I have no idea how to group these events.
You'd need to create fields out of your logs (covered in the tutorial, tl;dr: use the interactive field extractor in splunkweb), and then grab stats on the fields you mention (also covered in the tutorial). If you want to create a search form that only requires you to input an IP number and automatically get charts, tables etc, have a look at the "Build forms" section of the developer manual).
Yeah I did but I can't group those events. Let me see if I can explain better.
I want to see my firewall log (watchguard) and make some search by src_ip or dest_ip and then a report to see how many deny, attack, or error i had.
I saw many apps for firewall but i didn't see one for watchguard firebox
Did you take the Splunk tutorial? It's a great way to get past the "I'm very new to Splunk" phase.
I am not sure I understand the question
If you want statistics then take a look here:
If you want these combined together, perhaps the transaction search cmd