topic Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024. in Splunk Enterprise Security

As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

N92 — Tue, 29 Sep 2020 18:53:40 GMT

| tstats summariesonly=true allow_old_summaries=true dc(All_Application_State.Ports.transport_dest_port) as "port_count" from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Ports by "All_Application_State.dest" | rename "All_Application_State.dest" as "dest" | where 'port_count'>20

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

javiergn — Fri, 06 Apr 2018 09:05:35 GMT

Maybe something like this (NOT TESTED as I don't have Enterprise Security installed):

| tstats summariesonly=true allow_old_summaries=true dc(All_Application_State.Ports.transport_dest_port) as "port_count" 
from 
    datamodel=Application_State.All_Application_State 
where 
    nodename=All_Application_State.Ports
    All_Application_State.Ports.transport_dest_port >= 1
    All_Application_State.Ports.transport_dest_port <= 1024
by 
    "All_Application_State.dest" 
| rename "All_Application_State.dest" as "dest" 
| where 'port_count'>20

It is pretty much your search with 2 filters in the where clause in order to look for ports 1-1024, assuming that field is a number of course.

Hope that helps,
J

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

N92 — Fri, 06 Apr 2018 09:36:57 GMT

Thanks @javiergn

But it's not working.

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

deepashri_123 — Tue, 29 Sep 2020 19:31:15 GMT

Hey @javiergn,

Can you try using this query:

| tstats summariesonly=true allow_old_summaries=true dc(All_Application_State.Ports.transport_dest_port) as "port_count"
from
datamodel=Application_State.All_Application_State
where
nodename=All_Application_State.Ports AND
All_Application_State.Ports.transport_dest_port < "1025"
by
"All_Application_State.dest"
| rename "All_Application_State.dest" as "dest"
| where 'port_count'>20

Let me know if this helps!!

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

javiergn — Mon, 09 Apr 2018 13:52:24 GMT

Hi, what kind of error do you get? or is it just empty?

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

N92 — Sun, 15 Apr 2018 14:17:36 GMT

Sorry for late replay. But also no luck with your modifications. @deepashri_123

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

N92 — Sun, 15 Apr 2018 14:18:29 GMT

sorry to late replay. @javiergn

It's empty.

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

deepashri_123 — Mon, 16 Apr 2018 06:21:44 GMT

is the datamodel accelerated?

Re: As per default search it will looking for all the ports but I wants to look for only specific port range of 1 to 1024.

N92 — Tue, 17 Apr 2018 07:41:03 GMT

@deepashri_123
Yes. datamodel is accelerated. I am able to run by default search but not able to run with your modification. The result is empty. It does not show any error.