cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rhornung
Explorer
Member since: ‎01-17-2020
‎10-14-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎01-17-2020
Activity Feed
View All

Re: Timechart with count of open connections per p...

by in Splunk Search
‎01-20-2020 11:51 PM
‎01-20-2020 11:51 PM
Fast Mode-> yes, Thank you for your support and happy splunking! ... View more

Re: Timechart with count of open connections per p...

by in Splunk Search
‎01-20-2020 05:44 AM
‎01-20-2020 05:44 AM
Hi, to4kawa, Finally your solution works fine for me! your_search | rex "(?<connection>Built|Teardown).*(?<protocol>(TCP|UDP|ICMP))\s+connection$" | table _time connection protocol | bin _time span=10m | stats count as Count by _time connection protocol | stats sum(eval(if(connection="Built",Count,NULL))) as Built sum(eval(if(connection="Teardown",Count,NULL))) as Teardown by _time protocol | fillnull | eval Open=Built-Teardown | xyseries _time protocol Open | fillnull Many thanks for your quick reply! Best regards rhornung ... View more

Re: Timechart with count of open connections per p...

by in Splunk Search
‎01-20-2020 02:07 AM
1 Karma
‎01-20-2020 02:07 AM
1 Karma
Hi Splunk-Community After several tries and being inspired by above samples (many thanks to repliers) my search query looks like: index=myindex AND sourcetype="my_sourcecode" AND %ASA-6-3020* AND NOT %ASA-6-302010 | rex "(?<protocol>UDP|TCP|ICMP)" | eval connection=case(Cisco_ASA_message_id=="302013" OR Cisco_ASA_message_id=="302015" OR Cisco_ASA_message_id=="302020",1, Cisco_ASA_message_id=="302014" OR Cisco_ASA_message_id=="302016" OR Cisco_ASA_message_id=="302021",-1) | timechart sum(connection) by protocol This query creates a field connection with the values 1 if the field Cisco_ASA_message_id conforms to "Built" Events and a -1 if the field Cisco_ASA_message_id conforms to "Teardown" Events. It works but takes very long (for a report period of 7 days) maybe there is an option or other way to accelerate it!??? Regards ... View more

Re: Timechart with count of open connections per p...

by in Splunk Search
‎01-19-2020 10:12 PM
‎01-19-2020 10:12 PM
Hi jscraig2006 Thank you for your input and response on my question. Your query summarizes the count of built and teardown events, so i get the total amount on events for each protocol. As i wrote (and for baselining reasons) i'd prefer a timechart where open connections are calculated as Built - Teardown Events. Regards ... View more

Re: Timechart with count of open connections per p...

by in Splunk Search
‎01-19-2020 09:41 PM
‎01-19-2020 09:41 PM
Hi to4kawa, Thanks for your input and response. To answer your question: I want to create a timechart with 3 lines (each line stands for one protocol TCP, UDP an ICMP) where x -axis shows the timeline an the y -axis shows me the count of opened connections during the calculated span time. The ASA Logfile only gives me Built and Teardown events, so the current opened connections for each moment of time hast to be calculated: opened connections = Created (->Built) - closed(->Teardown) connections. I want to get a feeling on whats happening on the ASA, so the purpose for this timechart is to get a time-based baseline which shows me anomalies on the firewall-activities. Hope this explanation helps. Thx in advance Regards ... View more

Timechart with count of open connections per proto...

by in Splunk Search
‎01-17-2020 04:34 AM
‎01-17-2020 04:34 AM
Hi, i'm getting stuck an weird using Splunk to show me am Timechart for the last 30 days with open connection per protocol. Input looks like: Jan 17 13:19:34 mydevice : %ASA-6-302013: Built outbound TCP connection Jan 17 13:19:34 mydevice : %ASA-6-302014: Teardown TCP connection Jan 17 13:19:34 mydevice : %ASA-6-302016: Teardown UDP connection Jan 17 13:19:34 mydevice : %ASA-6-302015: Built outbound UDP connection Jan 17 13:19:34 mydevice : %ASA-6-302021: Teardown ICMP connection Jan 17 13:19:34 mydevice: %ASA-6-302020: Built outbound ICMP connection my search statement: %ASA-6-3020* NOT %ASA-6-302010 | timechart count by Cisco_ASA_message_id brings up a wonderful timechart table with absolute values on how many connections were built and closed in a specific timeperiod. it shows me the amount of built TCP connections , teardowned TCP connections built UDP connections, and so on. Goal: My Goal ist a timechart on a statement like: Opened TCP connections = Built TCP connections - Teardowned TCP connection so i' receive three lines (one for each Protocol TCP,UDP and ICMP). Each Cisco_ASA_message_id stands for a specific event. Any suggestions? regards from an absolute beginner ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-14-2021 03:31 AM
Karma from
View All
Karma given to
View All