I am sending my sonic wall data to splunk via syslog. I am trying to get a report to show me how many open connections by src ip. However I am not sure how to do this.
The 2 event type I need to tie together are
Nov 4 17:42:38 192.168.150.1 id=firewall sn=xxxxxxxxx time="2010-11-04 17:42:42" fw=192.168.254.5 pri=6 c=1024 m=537 msg="Connection Closed" n=0 src=192.168.150.93:1637:X0 dst=192.168.100.10:4440:X2 proto=tcp/4440 sent=2505 rcvd=677
host=192.168.150.1
Nov 4 17:41:53 192.168.150.1 id=firewall sn=xxxxxxxxx time="2010-11-04 17:41:56" fw=192.168.254.5 pri=6 c=262144 m=98 msg="Connection Opened" n=0 src=192.168.150.93:1637:X0 dst=192.168.100.10:4440:X2 proto=tcp/4440
So in short I want to know how here src=192.168.150.93:1637:X0 has open a connection. Then it closed the connection. I want to find out how many have been opened and have yet to be closed. So current open connection count and sort it by just the src ip so strip of the 1637:XO when grouping.
Any help would be great
... View more