Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Firewall log

hafizuddin
Path Finder
‎11-26-2017 06:19 PM

Hi, im newbie for splunk enterprise

I had a log file for windows firewall that I already point to Splunk via universal forwarder and splunk read as per below:

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 58.139.24.118 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall

11/27/17
9:56:14.000 AM 2017-11-27 09:56:14 ALLOW UDP 202.217.203.244 114.133.193.1 52785 161 0 - - - - - - - SEND
host = BITNPM01 source = C:\Windows\System32\LogFiles\Firewall\pfirewall.log sourcetype = pfirewall**

I just want to create a table form this log where I need to split variable like source IP, destination IP and time. I had try to used pivot function but the variable it not shown for those i need.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎11-27-2017 12:01 PM

Have you done any field extractions or are you using a Technology Addon (TA) that is giving you any field extractions? If not, that is your first problem. Once you have the field extractions, you can simply display a table of the data with:

<your_base_search> | table *

or you can define which of the fields you want displayed in your table with:

<your_base_search> | table field, field2, field3

But you do have to have fields being extracted for either of these to do anything useful. Here is a useful document to get you started in creating your own automatic field extraction:

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply

HiroshiSatoh
Champion
‎11-26-2017 11:09 PM

If the field is not displayed only for a specific user, I think that it is a matter of authority. Please check the permission setting of field extraction.

Fields » Field extractions
OR
Fields » Field transformations

0 Karma
Reply

HiroshiSatoh
Champion
‎11-26-2017 07:13 PM

What can not be displayed?
Is it a field? Is it a pivot table?

0 Karma
Reply

hafizuddin
Path Finder
‎11-26-2017 08:10 PM

it is a Field...

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...