Currently I have splunk injecting AWS logs showing NACL's. Each event has an array that is called network_acl_entries. This is a list of objects, each object has a cidr/block field and rule_action field. I'm trying to display in a table each rule that is not a deny on subnet 0.0.0.0/0. I can't find a way to remove the entire object from the list if network_acl_entires.cidr_block=0.0.0.0/0 and network_acl_entires.rule_action="allow". There's not a way to correlate the data. I put them in a table, and I can individually remove all Deny's but it still lists those cidr's associated with the denys. The table for the search looks like: index=__aws aws_account_id="*" region="*" source="*:vpc_network_acls" sourcetype="aws:description" | dedup associations{}.id | rename network_acl_entries{}.cidr_block as cidr, network_acl_entries{}.egress as egress, network_acl_entries{}.rule_action as rule, associations{}.subnet_id as subnet, network_acl_entries{}.port_range.to_port as "to port", network_acl_entries{}.port_range.from_port as "from port", network_acl_entries{}.rule_number as rule_Number | table index account_id vpc_id tags.Name id subnet rule_Number cidr, egress, rule, "to port", "from port" Each row in the table is a separate vpc that lists all NACL's and the cidr's that are open/closed.
... View more