Trying to create a Cisco ASA firewall dropping table
Answered
Hi Everyone,
I just sat through the hands on training, and am working on creating a table using Sumo's "parse using public/cisco/asa" - which gives me a bunch of fields. I'd like to arrange them in order on the messages tab, and am trying to use the command: "| fields dest_host,src_host,dest_port" - however, they're coming out alphabetical. Is there a way to specify the field order? And then I'd like to attach the search results in a table format to a panel and dashboard. However, I have to aggregate in order to be able to put it into a table. But I don't really want to aggregate - I want to have a running list of firewall denies - newest at the top. Is there a way to pretend to aggregate without aggregating? I want the same fields in my search messages tab to go into the table to the panel to the dashboard.
Thanks,
Brannen
-
Hi Brannen,
To achieve the "running list" type of display that you want you could add _messagetime as one of your fields. This basically ensures that log data isn't rolled up.
Try something like this:
_souceCategory=asa
| parse using public/cisco/asa
| count desthost,srchost,dest_port,_messagetime
| sort _messagetime desc
| fields -_messagetime
Please sign in to leave a comment.
Comments
1 comment