I regularly generate a list of IP addresses and port pairs for which I should see traffic, and I log firewall traffic in Splunk. Is there a way that I can import that list of IP/port pairs and then compare against the firewall logs to generate statistics? I'm particularly interested in low/no results, i.e. IP/port pairs which should be seen, but haven't been. The comparison itself is simple, it's using the externally-generated list that I'm struggling with. I can create a lookup table, but I'm not sure how to compare the logs against that lookup table.
Any thoughts?
If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this
sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...
If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this
sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...
This works almost perfectly, however I can't work out how to display where the count is zero.
Change the order and do a join
|inputlookup iplist_lookup | join type=outer ipaddress [search sourcetype="network_logs" | stats count by ipaddress] | fillnull value=0 count
Perfect, thanks!