How do I combine information from two traps into a single line in table based off of message ID comparison, user, and IP address (Where IP address in one trap is data and not in a field)?
My search is as follows:
sourcetype="cisco:asa" host="*" message_id=113039 OR message_id=716002 OR message_id=113019
| eval ClientIP=src_ip
| table ClientIP, user, message_id, host, bytes_in, bytes_out, Total-BW, duration_hour, duration_minute, duration_second, _time
| localop | iplocation ClientIP
| rename bytes_in as Byte_Rcv | rename bytes_out as Byte_xmt
| addtotals fieldname=Total-BW Byte
Trap Format:
Oct 13 09:17:03 CiscoASA: %ASA-6-716002: Group User IP <111.222.333.444> WebVPN session terminated: Idle Timeout.
Oct 13 09:17:03 CiscoASA: %ASA-4-113019: Group = DTCC-VPN, Username = ABCD, IP = 111.222.333.444, Session disconnected. Session Type: IKEv2, Duration: 0h:48m:16s, Bytes xmt: 13787509, Bytes rcv: 1937242, Reason: Idle Timeout
Current Output :
Client user messageID host Byte-rcv Bytexmt Total-byte dur-hr dur-min dur-sec time city country region lat lon
ABCD 113019 CiscoASA 1937242 13787509 15787509 0 48 16 2016-10-13...
x.x.x.444 ABCD 716002 CiscoASA 2016-10-13 Arlington US TX 32.7 97.0
↧