huynhbaoan · November 18, 2024 08:47
diff --git a/cw filter b/cw filter
 parse @message /^.*eni-\w+\s+(?<srcAddr>\d+\.\d+\.\d+\.\d+)\s+(?<destAddr>\d+\.\d+\.\d+\.\d+)\s+(?<srcPort>\d+)\s+(?<destPort>\d+)\s+(?<protocol>\d+)\s+(?<tcpFlag>\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+\s+(?<action>\w+)\s+OK/
 | filter destPort="993" and isIpv4InSubnet(destAddr, "10.154.113.89/32")
 | display srcAddr, destAddr, srcPort, destPort, tcpFlag, action
	parse @message /^.*eni-\w+\s+(?<srcAddr>\d+\.\d+\.\d+\.\d+)\s+(?<destAddr>\d+\.\d+\.\d+\.\d+)\s+(?<srcPort>\d+)\s+(?<destPort>\d+)\s+(?<protocol>\d+)\s+(?<tcpFlag>\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+\s+(?<action>\w+)\s+OK/
	\| filter destPort="993" and isIpv4InSubnet(destAddr, "10.154.113.89/32")
	\| display srcAddr, destAddr, srcPort, destPort, tcpFlag, action