I have few firewall logs coming into the Splunk.
I need to extract the data from Splunk to get the allowed and blocked events count separately for each firewall.
Could you please help me with the search for this?
for example
221
**Firewall Allowed_count Blocked_count
A 98312 4565
B 123
C 72333 76876**
Like this:
| tstats count FROM datamodel=Network_Traffic.All_Traffic WHERE index=* BY All_Traffic.action
@anshubathla
If there is a field Firewall
and status
with Allowed
OR Blocked
status then below search will work for you.
YOUR_SEARCH
| stats count(eval(status="Allowed")) as Allowed_count count(eval(status="Blocked")) as Blocked_count by Firewall
Sample Search:
| makeresults count=10
| eval Firewall="A",status="Allowed"
| append
[| makeresults count=6
| eval Firewall="B",status="Blocked"]
| stats count(eval(status="Allowed")) as Allowed_count count(eval(status="Blocked")) as Blocked_count by Firewall
Thanks