I don't want the Destination IP in my report output, can we remove the Destination ip?

  • 1
  • Question
  • Updated 5 years ago
Photo of Andy

Andy

  • 44 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Andy

Andy

  • 44 Posts
  • 2 Reply Likes
Yes, here is a copy of the report syntax:

Def tmp_user_info uid 4, logonname 0b, name 0b index uid
Temporary tmp_user_info user_info uid, logonname, name where {logonname#lname#Logon Name#regexp#$b64:JGV4Y2x1ZGVzOk4vQQ==}
Query ip,tmp_user_info [name.1#Full Name#text], [logonname.1#Logon Name#text], [dst.0#Destination IP#subnet], [src.0#Source IP#subnet], [dport.0#Server Port#port], [sum(sent.0)#Sent#bytecnt], [sum(rcvd.0)#Received#bytecnt], [sum(sent.0,rcvd.0)#Total#bytecnt] sort=-7 where uid.1=uid.0 & {end.0#t#Time#date#} & {senid#senid#Sensor#sensor#} & {src#src#Source IP/Subnet#subnet#192.168.0.0/16} & {dst#dst#Destination IP/Subnet#subnet#!192.168.0.0/16} & {src,dst#ip#Client or Server#subnetdl#} & {proto#proto#IP Protocol#protocol#} & {dport.0#dport#Destination Port#service#80,443}
Link down.png Breakdown /netmon/view.cgi?View=1&rid=99&t=$t&lname=$1&src=$2&dst=$3&dport=$4&senid=$senid 8

Just remove [dst.0#Destination IP#subnet], from this line
Query ip,tmp_user_info [name.1#Full Name#text], [logonname.1#Logon Name#text], [dst.0#Destination IP#subnet],

and change sort=-7 to sort=-6

We hope you find this tip useful.
(Edited)