How to setup a report on all the firewalls reporti...

plantiw · ‎08-06-2018

I am trying to create a report to just show what firewalls are reporting to Splunk.

plantiw · ‎08-06-2018

I am new to splunk and how do I use that

jdhunter · ‎08-06-2018

Type that in your search as is, you just need to know what index the firewall data is being written to and update the portion after index=

Once you get the syntax correct, you can create a report by clicking Save As > Report and schedule it to run daily, weekly, etc.

jdhunter · ‎08-06-2018

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Metadata

| metadata type=hosts index=your_firewall_index

renjith_nair · ‎08-06-2018

Would you mind providing little more information ?
- What's present in your events regarding firewall? or How would you identify that the events are coming from firewall?
- Is the source field contain any information regarding the actual source of information?

Happy Splunking!

plantiw · ‎08-06-2018

8/6/18
9:15:30.000 AM

Aug 6 09:15:30 172.19.76.9 Aug 06 2018 09:15:30: %ASA-6-302016: Teardown UDP connection 1332069924 for DMZ-8:172.19.115.13/53 to Inside:172.19.32.15/58709 duration 0:00:00 bytes 108
host = 172.19.76.9 source = udp:1480 sourcetype = cisco:asa

How to setup a report on all the firewalls reporting to Splunk?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms