If you are using Splunk 5.0 I would suggest not using eventtypes. I would suggest extracting the ip into a field, and then using this field to display what you want; or using a macro (myMacro(2)):

eval $field$=if(like(_raw,"%%%ASA $ip$%"),1)

You can then call the macro passing in a name for the field and the ip you are looking for. Example call:

... | myMacro(field="cisco_fw_dmz",ip=1.1.1.1) | myMacro(field="cisco_fw_inside",ip=1.1.1.2)

You now have all events of the cisco_fw_dmz type containing a field with value 1, and similarly for cisco_fw_inside.

This last suggestion may not work in splunk 5.0. I know it used to work in 4.3 though. I'll see if I can think of another way of evaluating into a similar field.

This will then give you the option to add a where clause after the eval, so that you can exclude anything that isn't of the two eventtypes that you want.

This may be happening because you have defined overlapping eventtypes. Thus when you search for results of either type, you get the eventtype field populated with multiple values.

Run your search without the timechart, select the "eventtype" field from the "interesting fields", and see what is being populated. If you are getting multiple values in your eventtype field, you will want to do something like this before the timechart:

...| eval eventtype=case(like(eventtype,"%cisco_fw_dmz%"),"cisco_fw_dmz",like(eventtype,"%cisco_fw_inside%"),"cisco_fw_inside", eventtype) |...

Hello

Thanks a lot for answering!

Unfortunately the searchs you gave me don't work, looks like the results are both eventtypes cisco_firewall and (cisco_fw_dmz or cisco_fw_inside) so eliminating the common eventtype returns 0 results.

I need the results to be classified as cisco_firewall for the default dashboards that come with Cisco Security Application to work, so supressing this type is not acceptable (unless there is a workaround, like redefining the cisco_firewall eventtype as the sum of the other two).