Hello, everyone,
I need some help regarding the analysis of a firewall rule that I am trying to analyze via Splunk. What I am trying to do is to filter out a sorted output of the source and destination IP along with the top 200 ports that are used most out of the output.
Now, when I sort the count then, I lose the capacity of getting the source IP and Destination IP details. THE TABLE SHOULD BE CONSIDERING THE COMPLETE OUTPUT OF TOP 200 PORTS ALONG WITH THE SOURCE IP AND DESTINATION IPS THAT ARE INVOLVED IN THE COMMUNICATION for example
EXAMPLE
index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort -count
@vaibhavmehta
Can you please try following search whether it is giving you desired output?
index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count |
OR
index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count
Just try both and let me know which is as per your requirement or near to it.
Thanks
@vaibhavmehta
Can you please try following search whether it is giving you desired output?
index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count |
OR
index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count
Just try both and let me know which is as per your requirement or near to it.
Thanks
I already tried the 2nd string but that gives an individual count, but the first string works like a charm 🙂
Validating it for a longer duration now, thanks for the quick response
One option could be this
index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" [search index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort 200 -count | table dest_port ]| stats count by dest_port src_ip dest_ip
The subsearch limits the final search result to only include those top 200 dest_ports returned by subsearch.