We are trying to monitor Firewall events from' X ' Environment coming to Splunk. I took the all hosts (600 hosts) related to 'X' environment and created lookup. I am able to see all events with below search but the search is too expensive and takes almost 15 minutes. For security reasons I took all names of index and Ips .When i search I included them. Can any one help with the search?
Search -
index=test1 OR index=test2* OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) | lookup hostlist.csv IP as dest | search list=y | dedup dest_port src_ip dest_ip host rule
| table dest_port src_ip dest_ip host rule list
try searching for ASA instead. you may need to define a lookup csv containing your ASA codes
e.g. my csv contains
106027 %ASA-4-106027 Error Yes Port
107001 %ASA-1-107001 Error Yes Attempt
107002 %ASA-1-107002 Error Yes Attempt
109017 %ASA-4-109017 Error Yes DoS
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
What is a lookup for ”lookup hostlist.csv IP as dest ”?
index=test1 OR index=test2* OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) [|inputlookup hostlist.csv|fields IP|rename IP as dest ]
Use TERM for IP search
src_ip=TERM(1.1.1.1) OR src_ip=TERM(1.1.1.2)
Using fields reduces the required fields.
table xxx,xxx->fields xxx,xxx
Hi @ HiroshiSatoh .I performed above query you suggested .I am getting no results .
Sorry that this is not an answer more some ideas, but
“Some trusted people were chatting...here you go. Don’t mind the ‘what the hell is this’ commentary” 🙂
If you wonder about who the trusted people were, some of these guys https://www.splunk.com/blog/2017/09/26/the-splunktrust-2018-in-all-its-fezzed-glory.html
Thanks @ MuS .I very lucky and happy that Splunk trust team replied me .I believe 600 hosts so it is taking that long to check hosts for only 4 hours of data .
Okay some options here:
*
or NOT
instead search for exactly what you wantFast Mode
[ | inputlookup hotlist.csv | dedup host | table host | format ]
this will create a group of ((host=x) OR (host=y) OR ...
and speeds up the searchcheers, MuS
Thanks @Mus