https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559581#M6405 <P>Try fillnull for the dstport</P><LI-CODE lang="markup">index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | fillnull value=0 dstport | stats count by srcip, dstip, dstport, service, action, date, time, policyid | dedup srcip dstip dstport service consecutive=true | sort 0 field</LI-CODE> Thu, 15 Jul 2021 11:52:35 GMT ITWhisperer 2021-07-15T11:52:35Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559574#M6403 <P>Hi,</P><P>I'm running the below syntax on Splunk Enterprise to get traffic logs from Fortigate firewalls:</P><P><STRONG>index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept</STRONG><BR /><STRONG>| stats count by srcip, dstip, dstport, service, action, date, time, policyid</STRONG><BR /><STRONG>| dedup srcip dstip dstport service consecutive=true</STRONG><BR /><STRONG>| sort 0 field</STRONG></P><P>This gives me all TCP &amp; UDP traffic, then I can download &amp; filter in a .csv but doesn't pick up ICMP traffic (specifically icmp type 8). I have to run a separate syntax to get just ICMP as below:</P><P><STRONG>index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept</STRONG><BR /><STRONG>| stats count by srcip, dstip, service, action, date, time, policyid</STRONG><BR /><STRONG>| dedup srcip dstip service consecutive=true</STRONG><BR /><STRONG>| sort 0 field</STRONG></P><P>It seems that because ICMP has no dstport the syntax needs adjusting.</P><P><STRONG>I need is a syntax that will return all traffic, i.e. TCP, UDP &amp; ICMP.</STRONG></P><P>Please advise?</P><P>Naz</P> Thu, 15 Jul 2021 11:18:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559574#M6403 Naz_Lightening 2021-07-15T11:18:52Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559579#M6404 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236439">@Naz_Lightening</a>&nbsp;</P><P>Can you try this SPL? I hope it works without looking at data its a guess let me know how you go.</P><LI-CODE lang="markup">index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | eval dstport=if(isnull(dstport),"none", dstport) | stats count by srcip, dstip, dstport, service, action, date, time, policyid | dedup srcip dstip dstport service consecutive=true | search dstport!="none" | sort 0 field</LI-CODE><P>&nbsp; --</P><P>An upvote would be appreciated and Accept solution if this reply helps!</P> Thu, 15 Jul 2021 11:40:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559579#M6404 venkatasri 2021-07-15T11:40:24Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559581#M6405 <P>Try fillnull for the dstport</P><LI-CODE lang="markup">index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | fillnull value=0 dstport | stats count by srcip, dstip, dstport, service, action, date, time, policyid | dedup srcip dstip dstport service consecutive=true | sort 0 field</LI-CODE> Thu, 15 Jul 2021 11:52:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559581#M6405 ITWhisperer 2021-07-15T11:52:35Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559591#M6409 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;cheers that's done it nicely!</P> Thu, 15 Jul 2021 13:29:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Search-Syntax-to-show-service-amp-dstport/m-p/559591#M6409 Naz_Lightening 2021-07-15T13:29:03Z