Hello guys,
I'd like to check changes on the Checkpoint firewall logs but I haven't any result :
index=xxx host=yyy action=accept earliest=-24h@h latest=-20h@h sourcetype=*opsec | eval src_acc=src | eval dst_acc=dst | eval acc_action=action | join src,dst [search index=xxx host=yyy sourcetype=opsec action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc | eval src_dro=src | eval dst_dro=dst | eval drop_action=action | eval before_time=strftime(_time,"%y/%m/%d %H:%M")] | table _time,src_dro,src_acc,dst_dro,dst_acc,action,before_action,before_time*
Thanks for your help!
It's awfully hard to tell from a long, complex search string like that exactly what is going awry and causing you to get 0 results. But from looking closely at your search string, I do notice this: In the first part of your search, you create fields called src_acc
and dst_acc
, and then you try to use those fields in the joined subsearch. However, those fields won't exist in the scope of your joined subsearch, so this part of the subsearch is likely to fail: search index=xxx host=yyy sourcetype=opsec action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc
Try running that part alone in a search window and see if you get results. If not, that's likely your issue.