Hello Splunk Answers,
I am looking to build a static lookup table for Firewall ACL lookup. Essentially, I would like the lookup to match on dst_port and determine if the port matches an existing acl rule name. I have an any-any rule that I'm trying to clean-up and the idea is to have Splunk tell me if the dst_port matches an existing acl rule entry. If no rule match is made, then the connection is permitted via an any-any rule.
I'm looking to match on dst_port. In this example, traffic connections on 80, 53 would match rule_name like in the example below.
fields:
dst_port, rule_name
80, permit_web
53, permit_dns
The idea is, if traffic connections do not match on a specific entry, then state something like this:
dst_port, rule_name
8748, any_any
I appreciate the assistance.
-ktang
Do you already have the lookup working for the matching ones? If yes, just use a | fillnull -value "any_any" rule_name
Do you already have the lookup working for the matching ones? If yes, just use a | fillnull -value "any_any" rule_name
That worked! thanks musskopf