Netstat sourcetype is displaying output like below.
Proto Recv-Q Send-Q LocalAddress ForeignAddress State
udp 0 0 :52311 *:
udp 12824 0 :631 *:
udp 0 0 172.18.127.203:123 :
udp 0 0 10.200.21.183:123 :
tcp 0 5 :1556 *: LISTEN
tcp 0 5 127.0.0.1:1557 : LISTEN
tcp 0 5 127.0.0.1:1567 : ESTABLISHED
Now I want to make “State” as a field whole value will be “LISTEN” or “ESTABLISHED” for example.
How do I do it?
You should just be able to call | multikv
(this can be set to be done automatically for your sourcetype
.
UPDATED:
| makeresults
| eval _raw="Proto Recv-Q Send-Q LocalAddress ForeignAddress State
udp 0 0 :52311 :
udp 12824 0 :631 :
udp 0 0 172.18.127.203:123 :
udp 0 0 10.200.21.183:123 :
tcp 0 5 :1556 : LISTEN
tcp 0 5 127.0.0.1:1557 : LISTEN
tcp 0 5 127.0.0.1:1567 😘 ESTABLISHED"
| multikv
| eval State=if(State=="LISTEN" OR State=="ESTABLISHED",Proto." ".Recv_Q." ".Send_Q." ".LocalAddress." ".ForeignAddress." ".State,State)
| table Proto Recv_Q Send_Q LocalAddress ForeignAddress State
Thanks to4kawa. However, it does not fix my problem. Please note that the header of "netstat" command is: Proto Recv-Q Send-Q LocalAddress ForeignAddress State
Sub-set of values are:
udp 0 0 :52311 *:
udp 0 0 :53595 *:
-snip------------------
tcp 0 5 :1556 *: LISTEN
tcp 0 5 127.0.0.1:1557 : LISTEN
tcp 0 5 :13782 *: LISTEN
tcp 0 128 :22 *: LISTEN
I want to make "State" as a field so that I can get some details based on the values "State". One use case is to show the values of "LocalAddress" and time where "State" in "LISTEN" mode.
Note that output of "netstat" will go into splunk server every 5 minutes. It's not feasible to feed the entire output into eval _raw table. I think you solution suggests that entire output of "netstat" be fed to the table.
your_search
As a result, isn't the event _raw
?