Solved: Re: How to import a list of IP and port pairs, the...

pwqs · ‎12-07-2015

I regularly generate a list of IP addresses and port pairs for which I should see traffic, and I log firewall traffic in Splunk. Is there a way that I can import that list of IP/port pairs and then compare against the firewall logs to generate statistics? I'm particularly interested in low/no results, i.e. IP/port pairs which should be seen, but haven't been. The comparison itself is simple, it's using the externally-generated list that I'm struggling with. I can create a lookup table, but I'm not sure how to compare the logs against that lookup table.

Any thoughts?

sundareshr · ‎12-07-2015

If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this

sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...

View solution in original post

sundareshr · ‎12-07-2015

If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this

sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...

pwqs · ‎12-07-2015

This works almost perfectly, however I can't work out how to display where the count is zero.

sundareshr · ‎12-07-2015

Change the order and do a join

|inputlookup iplist_lookup | join type=outer ipaddress  [search sourcetype="network_logs"  | stats count by ipaddress] | fillnull value=0 count

pwqs · ‎12-07-2015

Perfect, thanks!

How to import a list of IP and port pairs, then compare this against firewall logs to generate statistics?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases