Splunk Search

What is the way to exclude ports from a single search?

brian1_tate
Path Finder

Silly question here. I am trying to search against my WAN for traffic flows NOT equal to certain ports. I seem to have my syntax wrong here I think.

index="network" dport!=53 OR dport!=123 OR dport!=80 OR dport!=443 | iplocation src

What I am doing wrong here?

Tags (1)
0 Karma

gokadroid
Motivator

I beg to differ from @somesoni2 and @skoelpin as Logical OR looks wrong in the first part of the query syntax if intention is to exclude all four ports to show up in search:

index="network" dport!=53 OR dport!=123 OR dport!=80 OR dport!=443 | iplocation src

Since a Logical OR has been put in with a negation on the field value in above search, this search is only as good as searching index="network" | iplocation src
Reason being whatever dport!=53 will negate to be searched, that will be included by all the other three negations (in fact any one other negation is sufficient). So ultimately not a single negation will work.

If intention is not to search any of the four port mentioned then trying with AND shall make it achieve the intended result which shall look something like:

index="network" dport!=53 AND dport!=123 AND dport!=80 AND dport!=443 | iplocation src

somesoni2
SplunkTrust
SplunkTrust

Good catch.

somesoni2
SplunkTrust
SplunkTrust

Your syntax is correct. I would check, 1) if the field dport exists, 2) and it is, it holds the exact port values that you're specifying, with no additional character/data.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It's better to include than to exclude, but it looks good to me

You should verify the ports are actually present in your log which may be the reason why its not working

index="network" | stats count by dport

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...