Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help with a Splunk query for filtering a destination port count to a table?

vaibhavmehta
New Member
‎09-20-2018 11:17 AM

Hello, everyone,

I need some help regarding the analysis of a firewall rule that I am trying to analyze via Splunk. What I am trying to do is to filter out a sorted output of the source and destination IP along with the top 200 ports that are used most out of the output.

Now, when I sort the count then, I lose the capacity of getting the source IP and Destination IP details. THE TABLE SHOULD BE CONSIDERING THE COMPLETE OUTPUT OF TOP 200 PORTS ALONG WITH THE SOURCE IP AND DESTINATION IPS THAT ARE INVOLVED IN THE COMMUNICATION for example

EXAMPLE 

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME"  | stats count by dest_port | sort -count
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-20-2018 11:26 AM

@vaibhavmehta

Can you please try following search whether it is giving you desired output?

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count |

OR

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count

Just try both and let me know which is as per your requirement or near to it.
Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-20-2018 11:26 AM

@vaibhavmehta

Can you please try following search whether it is giving you desired output?

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count |

OR

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count

Just try both and let me know which is as per your requirement or near to it.
Thanks

0 Karma
Reply
Solved! Jump to solution

vaibhavmehta
New Member
‎09-20-2018 02:43 PM

I already tried the 2nd string but that gives an individual count, but the first string works like a charm 🙂

Validating it for a longer duration now, thanks for the quick response

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-20-2018 11:26 AM

One option could be this

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" [search index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort 200 -count | table dest_port ]| stats count by dest_port src_ip dest_ip

The subsearch limits the final search result to only include those top 200 dest_ports returned by subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...