Parse Cisco router logs
I want to report on the number of instances of port hits from a log like this:
<190>4832: 004826: *Feb 25 09:01:06.950 MST: %FMANFP-6-IPACCESSLOGP:fman_fp_image: list DMS-ACCESS permitted tcp 10.10.10.142(49502) -> 100.100.100.196(10224), 1 packet
See the 'destination' port there 100.100.100.196(10224). I want to count the number of unique ports as well as count per port. Any help would be great!
-
Hi Kenny,
You will need to use the parse regex operator to first pull the port value from your log messages. Once you have this you can use the "count" or "count_distinct" operators to get a count by port number or count of distinct ports.
For example using your supplied sample log you can run the following to get a count by destination port number
| parse regex "->\s+\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}((?<dest\_port>\d+)),"
| count by dest_portOR you can run the following to get a count of the distinct ports
| parse regex "->\s+\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}((?<dest\_port>\d+)),"
| count_distinct(dest_port) as distinct_ports
Please sign in to leave a comment.
Comments
1 comment