Splunk Search

Can you help with a Splunk query for filtering a destination port count to a table?

vaibhavmehta
New Member

Hello, everyone,

I need some help regarding the analysis of a firewall rule that I am trying to analyze via Splunk. What I am trying to do is to filter out a sorted output of the source and destination IP along with the top 200 ports that are used most out of the output.

Now, when I sort the count then, I lose the capacity of getting the source IP and Destination IP details. THE TABLE SHOULD BE CONSIDERING THE COMPLETE OUTPUT OF TOP 200 PORTS ALONG WITH THE SOURCE IP AND DESTINATION IPS THAT ARE INVOLVED IN THE COMMUNICATION for example

EXAMPLE

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME"  | stats count by dest_port | sort -count 
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vaibhavmehta

Can you please try following search whether it is giving you desired output?

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count | 

OR

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count 

Just try both and let me know which is as per your requirement or near to it.
Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vaibhavmehta

Can you please try following search whether it is giving you desired output?

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count | 

OR

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count 

Just try both and let me know which is as per your requirement or near to it.
Thanks

0 Karma

vaibhavmehta
New Member

I already tried the 2nd string but that gives an individual count, but the first string works like a charm 🙂

Validating it for a longer duration now, thanks for the quick response

0 Karma

somesoni2
SplunkTrust
SplunkTrust

One option could be this

index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" [search index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort 200 -count | table dest_port ]| stats count by dest_port src_ip dest_ip 

The subsearch limits the final search result to only include those top 200 dest_ports returned by subsearch.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...