Splunk Search

How can I clean up my Splunk search?

phspec
Explorer

How do I clean up the following Splunk search?

index=firewall Destination_Port!=80 Destination_Port!=443 Destination_Port!=8080 Source_Port!=80 Source_Port!=443 Source_Port!=8080 1_Dst_Port!=80 1_Dst_Port!=443 1_Dst_Port!=8080 1_Src_Port!=80 1_Src_Port!=443 1_Src_Port!=8080 1_Dst_Nat_Port!=80 1_Dst_Nat_Port!=443 1_Dst_Nat_Port!=8080 1_Src_Nat_Port!=80 1_Src_Nat_Port!=443 1_Src_Nat_Port!=8080
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

May something like this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports | format "" "" "" "OR" "" ""]

Just add/update/remove field names and the port numbers in the subsearch.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

May something like this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports | format "" "" "" "OR" "" ""]

Just add/update/remove field names and the port numbers in the subsearch.

0 Karma

phspec
Explorer

without the format command, the query works. Thanks!

0 Karma

phspec
Explorer

I'm trying to get the query going back 3 days, so I've tried the "gentimes" command formatting as such: gentimes start=1/31/16 end=2/2/16, and I've also tried: gentimes start=-3 end=0 interval=1d, but my query only goes back 1 hour. Could you possibly indicate where my syntax is wrong.

0 Karma

phspec
Explorer

Also, I get the following error: Error in 'search' command: Unable to parse the search: 'OR' operator is missing a clause on the right hand side.

When I add two double quotes to the right of the 'OR' operator, I get the following error: Error in 'format' command: Invalid argument: ''

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try running it with the format command. So just this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports ]
0 Karma

phspec
Explorer

if I wanted the search to go back 3 days, would the "gentimes start=-3d"?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ohh no. The gentimes is basically an event generator that I use (your can use just the '| stats count' as well there). It has nothing to do with the requirement you've here. The subsearch is generating the dynamic conditions (you can check the normalizedSearch property in Inspect job) from the results of the subsearch. For more details just run the subsearch in a separate search page.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...