I am trying to create a report to just show what firewalls are reporting to Splunk.
I am new to splunk and how do I use that
Type that in your search as is, you just need to know what index the firewall data is being written to and update the portion after index=
Once you get the syntax correct, you can create a report by clicking Save As > Report and schedule it to run daily, weekly, etc.
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Metadata
| metadata type=hosts index=your_firewall_index
Would you mind providing little more information ?
- What's present in your events regarding firewall? or How would you identify that the events are coming from firewall?
- Is the source field contain any information regarding the actual source of information?
8/6/18
9:15:30.000 AM
Aug 6 09:15:30 172.19.76.9 Aug 06 2018 09:15:30: %ASA-6-302016: Teardown UDP connection 1332069924 for DMZ-8:172.19.115.13/53 to Inside:172.19.32.15/58709 duration 0:00:00 bytes 108
host = 172.19.76.9 source = udp:1480 sourcetype = cisco:asa