7. Finding Data for the First Time in Splunk

If you have correctly completed the previous steps, data should be appearing and you should be able to locate it easily.

Searching

Note Set the Search bar presets to All time to locate data. If the Date/Time stamps are incorrect, you can adjust this in your NTP network firewall.

Try this search:

index=sonicwall

To get just your flow data:

index=sonicwall TemplateID=257

You should get something that looks like this:

TemplateID=257 session_id=2147521047 src_mac=00-50-56-A1-04-A0 dest_mac=00-00-00-00-00-00 src_ip=192.168.1.1 dest_ip=192.168.1.254 initiator_GW-IP_Addr=0.0.0.0 responder_GW-IP_Addr=0.0.0.0 src_int=19 src_port=51489 dest_port=443 init_to_resp_pkts=1 init_to_resp_octets=52 init_to_resp_delta_pkts=1 init_to_resp_delta_octets=52 start_time=2014-04-07 11:10:21 end_time=1969-12-31 16:00:00 tcp_flag=9 protocol=6 app_id=49178 user=5998591826582306817 virus_id=0

TemplateID=257 session_id=2147521046 src_mac=00-50-56-A1-04-A0 dest_mac=00-00-00-00-00-00 src_ip=192.168.1.1 dest_ip=192.168.1.254 initiator_GW-IP_Addr=0.0.0.0 responder_GW-IP_Addr=0.0.0.0 src_int=19 src_port=51488 dest_port=443 init_to_resp_pkts=6 init_to_resp_octets=834 init_to_resp_delta_pkts=6 init_to_resp_delta_octets=834 start_time=2014-04-07 11:10:21 end_time=1969-12-31 16:00:00 tcp_flag=9 protocol=6 app_id=49178 user=5998591826582306817 virus_id=0

TemplateID=257 session_id=2147521045 src_mac=00-50-56-A1-04-A0 dest_mac=00-00-00-00-00-00 src_ip=192.168.1.1 dest_ip=192.168.1.254 initiator_GW-IP_Addr=0.0.0.0 responder_GW-IP_Addr=0.0.0.0 src_int=19 src_port=51485 dest_port=443 init_to_resp_pkts=7 init_to_resp_octets=1500 init_to_resp_delta_pkts=7 init_to_resp_delta_octets=1500 start_time=2014-04-07 11:10:20 end_time=1969-12-31 16:00:00 tcp_flag=9 protocol=6 app_id=49178 user=5998591826582306817 virus_id=0

For more information on how to interpret the results, see NetFlow Conversion Template 257.

Table Quick Reference

Netflow Conversion

Template ID	Template Name	Present	Type	Converted
257	flow-extn	yes	dynamic	yes
258	table-map	yes		discard
259	column-map	yes		discard
260	user	yes	dynamic	yes
261	application	yes	static	yes
262	url	yes	dynamic	yes
263	rating	yes	static	yes
264	ips	yes	static	yes
265	gav	yes	static	yes
266	anti-spyware	yes	static	yes
267	location-map	yes	static	discard
268	location	yes	dynamic
269	log	no	dynamic
270	if-stats	sometimes	dynamic
271	core-stats	sometimes	dynamic	discard
272	voip	yes	dynamic	yes
273	services	sometimes	static	discard
274	spam	no
275	memory	sometimes	dynamic	discard
276	devices	yes	dynamic	yes
277	vpn	yes	dynamic	yes
278	url-rating	yes	dynamic
279	topapps-stat	sometimes	dynamic	discard
356	IPv6 Flow IPFIX		dynamic
357	IPv6 Flow IPFIX extn		dynamic
358	IPv6 User		dynamic
359	IPv6 URL		dynamic
360	IPv6 Location		dynamic
361	IPv6 Spam		dynamic
362	IPv6 devices		dynamic
363	IPv6 VPN tunnels		dynamic
364	IPv6 if-stat		dynamic
365	IPv6 TopApps	yes	dynamic