I am looking at firewall logs. The destination port appears twice in some log lines. I want a search that will show me all the events where the two values are not the same.
here is a sample log where they do match
Jul 19 09:08:03 10.203.14.34 id=firewall sn=0017C598FCCC time="2013-07-19 09:08:02" fw=10.203.14.34 pri=6 c=512 m=602 msg="DNS packet allowed" n=43102 src=10.200.0.52:53:X1:eng-dc-01.eng.sonicwall.com dst=10.203.14.34:55034:X1 proto=udp/55034
The values in this log we need are:
dst=10.203.14.34:55034:X1
the formatting for this is (ip address):(port number):(interface) . So that means this connection was on port 55043. I call this one dst_port
proto=udp/55034
This is formatted as: (transport)/(port number) . So in the example this is on port 55034. I call this one port
I trying searches/filtering that looks like (main search) if not (dst_port = port)
Hi jalfrey
You can either use
main search | search NOT dst_port=55034
or
main search | where NOT dst_port=55034
The if() command works different in Splunk: if(contition,WhatToDoIfTrue,WhatToDoIfNot) like in
eval WasThePort55034 = if(dst_port=55034, Yes, No)
Hope this helps
Cheers, MuS
Try this to compare two fields value:
eval match=if(dst_port=port, Yes, No) | where match=No | table _time dst_port port match
Does that make sense?
Sorry MuS. I think I was not clear enough.
I want to know if the dst_por and port do not equal eachother. If so show the results.