I have three devices, each with its own sourcetype. I am trying to combine the fields **src** with **src_ip** and **dst** with **dest_ip** into new table fields called **Source IP** and **Destination IP** from the results of the search below:
blocked OR deny | search src="$IP$" OR src_ip="$IP$" | table _time, eventtype, sourcetype, Source IP, Destination IP
I've been unable to locate how to do this in the Splunk docs, and none of the questions on this site easily explain how this accomplished. Most of the answers just provide code to the person asking without much explanation of what they are doing. I'd like to know how the concept works, not just some code I can copy/paste. My searches will be done over several time frames, so performance is very important as this search will be used to regularly troubleshoot connection issues with the devices.
Once I get the search above to display results correctly, I'd like to take the results of the string below and do the same thing:
blocked OR deny [search sourcetype=pan:traffic | where user="mydomain\\$userName$" | rename src_ip AS src | fields src] | table _time, eventtype, sourcetype, Source IP, Destination IP, dest_port, url, application, category, src_zone, dest_zone, policy_id, action
Thank you in advance :)
↧