OMS Syntax post series: #4 : WireData


One of the most interesting set of syntax has been the use of WireData, I'm not really a networking person but they way you can visualise and assess the data is very useful.

For all of these replace aDomainName.co.uk with your own FQDN

 

I started to look at traffic from a Subnet and the Remote (or Local) IP Addresses that were being used, this helped identify an increase in traffic we had seen in the OMS Usage report:

Type=WireData LocalSubnet="192.168.35.0/24" | measure count() by RemoteIP
or
Type=WireData LocalSubnet="192.168.35.0/24" | measure count() by LocalIP

A variant of the above is to sort by Remote Country, this was useful to understand that we had a lot of outbound traffic (in our case to the US mainly).  This could be useful to identify where remote computers are located, its a very visual query to identify the countries in order of most traffic.

Type=WireData LocalSubnet="192.168.35.0/24" | measure count() by RemoteIPCountry

I also found combing IP address with RegEx the best way to look at ranges of addresses:
Type=WireData RemoteIP!=RegEx("192.168.35.*") | Select RemoteIP | Dedup Computer

You can modify the above by adding other fields to the Select statement, such as Select RemoteIP, Computer, RemoteIPCountry

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 

If you combine the above with a Computer name RegEx filter you can further reduce the results:

Type=WireData RemoteIP!=RegEx("192.168.35.*") (Computer=RegEx("..@.aDomainName.co.uk")) | Select RemoteIP | Dedup RemoteIP 

Next I wanted to see the data without the local address (127.0.0.1) and local subnet, the "!=" means NOT in the OMS Query language:

Type=WireData (RemoteIP!=RegEx("192.168.35.*") OR RemoteIP!="127.0.0.1" AND Computer=RegEx("@2016.aDomainName.co.uk")) | Measure count (RemoteIP) by RemoteIP

In this modification I added the country name as well as outbound traffic as a filter:

Type=WireData (RemoteIP!=RegEx("192.168.35.*") OR RemoteIP!=RegEx("192.168.34.*") OR RemoteIP!="127.0.0.1" AND Computer=RegEx("DC@.aDomainName.co.uk")) (Direction=Outbound) | Measure count () By RemoteIPCountry

 

 

 


Comments (0)

Skip to main content