Solved: How to import a list of IP and port pairs, then co...

pwqs · ‎12-07-2015

I regularly generate a list of IP addresses and port pairs for which I should see traffic, and I log firewall traffic in Splunk. Is there a way that I can import that list of IP/port pairs and then compare against the firewall logs to generate statistics? I'm particularly interested in low/no results, i.e. IP/port pairs which should be seen, but haven't been. The comparison itself is simple, it's using the externally-generated list that I'm struggling with. I can create a lookup table, but I'm not sure how to compare the logs against that lookup table.

Any thoughts?

sundareshr · ‎12-07-2015

If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this

sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...

View solution in original post

sundareshr · ‎12-07-2015

If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this

sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...

pwqs · ‎12-07-2015

This works almost perfectly, however I can't work out how to display where the count is zero.

sundareshr · ‎12-07-2015

Change the order and do a join

|inputlookup iplist_lookup | join type=outer ipaddress  [search sourcetype="network_logs"  | stats count by ipaddress] | fillnull value=0 count

pwqs · ‎12-07-2015

Perfect, thanks!

How to import a list of IP and port pairs, then compare this against firewall logs to generate statistics?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!