Forums: SplunkSearchAndAlert: Formatting WAN output so it can be added to field for search or managed better

I have the following line from a WAN device and would like to understand how to better manipulate the tcp xx.xx.xx.xx --> xx.xx.xx.xx portion of the data better.

Mar 4 16:17:03 wan.int.blah.net 449115: Mar 4 17:17:02.362: %SEC-6-IPACCESSLOGP: list wan-internetfilter-out denied tcp xx.xx.xx.xx(722) -> xx.xx.xx.xx(515), 1 packet

My customer is trying to grab the first "xx.xx.xx.xx" data and get it into a field so it can then be run through | top limit = ip or manipulated in other ways to better show what IP's are seeing the "denied" action.
Currently when this data is found within Splunk and subsequently exported into CSV there are no breaks in the line so the xx.xx.xx.xx can be sorted. It is all one long line. On other exports I have been able to export and get individual fields within Excel, but this one does not.

Is there a better method to indexing WAN / LAN data so it is more manageable within Splunk?

pstein

I've got this in my transforms.conf:

[cisco-sec-6-ipaccesslogp-deny]
REGEX = ^.*:\s+%SEC-6-IPACCESSLOGP:\s+list\s+(\S+)\s+(denied)\s+(\S+)\s+(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\((\d+)\)\s+->\s+(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\((\d+)\),\s+(\d+)\s+packet
s?
FORMAT = acl::$1 action::deny protocol::$3 src_ip::$4 src_port::$5 dst_ip::$6 dst_port::$7 count::$8

You'll have to do the appropriate magic in props.conf to get this working, like:

[source::yourciscohost]
REPORT-cisco = cisco-sec-6-ipaccesslogp-deny
KV_MODE = none

-jon