Compare firewall action to track network flow changes

splunkreal — Tue, 29 Sep 2020 16:49:16 GMT

Hello guys,

I'd like to check changes on the Checkpoint firewall logs but I haven't any result :

index=xxx host=yyy action=accept earliest=-24h@h latest=-20h@h sourcetype=*opsec | eval src_acc=src | eval dst_acc=dst | eval acc_action=action | join src,dst [search index=xxx host=yyy sourcetype=opsec action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc | eval src_dro=src | eval dst_dro=dst | eval drop_action=action | eval before_time=strftime(_time,"%y/%m/%d %H:%M")] | table _time,src_dro,src_acc,dst_dro,dst_acc,action,before_action,before_time*

Thanks for your help!

Re: Compare firewall action to track network flow changes

elliotproebstel — Thu, 16 Nov 2017 19:32:19 GMT

It's awfully hard to tell from a long, complex search string like that exactly what is going awry and causing you to get 0 results. But from looking closely at your search string, I do notice this: In the first part of your search, you create fields called src_acc and dst_acc, and then you try to use those fields in the joined subsearch. However, those fields won't exist in the scope of your joined subsearch, so this part of the subsearch is likely to fail: search index=xxx host=yyy sourcetype=opsec action=drop earliest=-1h@h latest=now src=src_acc dst=dst_acc

Try running that part alone in a search window and see if you get results. If not, that's likely your issue.

topic Re: Compare firewall action to track network flow changes in Splunk Search

Compare firewall action to track network flow changes

Re: Compare firewall action to track network flow changes