Compare firewall action to track network flow chan...

splunkreal · ‎11-16-2017

Hello guys,

I'd like to check changes on the Checkpoint firewall logs but I haven't any result :

index=xxx host=yyy action=accept earliest=-24h@h latest=-20h@h sourcetype=*opsec | eval src_acc=src | eval dst_acc=dst | eval acc_action=action | join src,dst [search index=xxx host=yyy sourcetype=opsec action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc | eval src_dro=src | eval dst_dro=dst | eval drop_action=action | eval before_time=strftime(_time,"%y/%m/%d %H:%M")] | table _time,src_dro,src_acc,dst_dro,dst_acc,action,before_action,before_time*

Thanks for your help!

* If this helps, please upvote or accept solution 🙂 *

elliotproebstel · ‎11-16-2017

It's awfully hard to tell from a long, complex search string like that exactly what is going awry and causing you to get 0 results. But from looking closely at your search string, I do notice this: In the first part of your search, you create fields called src_acc and dst_acc, and then you try to use those fields in the joined subsearch. However, those fields won't exist in the scope of your joined subsearch, so this part of the subsearch is likely to fail: search index=xxx host=yyy sourcetype=opsec action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc

Try running that part alone in a search window and see if you get results. If not, that's likely your issue.

Compare firewall action to track network flow changes

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life