I have a firewall which have a rule with any as source destination and ports, I need to monitor this traffic and check what source and destination ips are passing through along with ports/service information. the following coorelation search provide me the perfect results but in huge events with multiple duplicate traffic, I don't want to use dedup command as if will miss some traffic.
index=paloalto-firewall host="firewall IP" rule="any any rule name" | table _time client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action
Expected results I need as table: where as 555 is the total hits for this traffic passing through any any rule.
client_ip | src_zone | dest_ip | dest_zone | dest port |rule | src_interface | dest_interface | action |hit_counts
*192.168.1.1 | Inside_zone | 192.168.2.1 | dmz_zone | 80 | rulename | if1 | fi2 | allowed | 555*
Any help would be greatly appreciated.
does using stats solve the problem?
index=paloalto-firewall host="firewall IP" rule="any any rule name" | stats count by client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action
does using stats solve the problem?
index=paloalto-firewall host="firewall IP" rule="any any rule name" | stats count by client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action
Thanks, it does provide the required results.