Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases index=<your cisco index> “<your IP>” |rex field=”cisco_av_pair” “mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)” |rex field=”cisco_av_pair” “mdm-tlv=device-platform=(?<OS>\w+)” |rex field=_raw “(?<IP><IP regex>)” |iplocation IP |stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP […]
