topic Re: How can I clean up my Splunk search? in Splunk Search

How can I clean up my Splunk search?

phspec — Tue, 02 Feb 2016 17:50:26 GMT

How do I clean up the following Splunk search?

index=firewall Destination_Port!=80 Destination_Port!=443 Destination_Port!=8080 Source_Port!=80 Source_Port!=443 Source_Port!=8080 1_Dst_Port!=80 1_Dst_Port!=443 1_Dst_Port!=8080 1_Src_Port!=80 1_Src_Port!=443 1_Src_Port!=8080 1_Dst_Nat_Port!=80 1_Dst_Nat_Port!=443 1_Dst_Nat_Port!=8080 1_Src_Nat_Port!=80 1_Src_Nat_Port!=443 1_Src_Nat_Port!=8080

Re: How can I clean up my Splunk search?

somesoni2 — Tue, 02 Feb 2016 18:12:31 GMT

May something like this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports | format "" "" "" "OR" "" ""]

Just add/update/remove field names and the port numbers in the subsearch.

Re: How can I clean up my Splunk search?

phspec — Tue, 02 Feb 2016 18:14:37 GMT

if I wanted the search to go back 3 days, would the "gentimes start=-3d"?

Re: How can I clean up my Splunk search?

somesoni2 — Tue, 02 Feb 2016 18:22:02 GMT

Ohh no. The gentimes is basically an event generator that I use (your can use just the '| stats count' as well there). It has nothing to do with the requirement you've here. The subsearch is generating the dynamic conditions (you can check the normalizedSearch property in Inspect job) from the results of the subsearch. For more details just run the subsearch in a separate search page.

Re: How can I clean up my Splunk search?

phspec — Tue, 02 Feb 2016 18:24:27 GMT

Also, I get the following error: Error in 'search' command: Unable to parse the search: 'OR' operator is missing a clause on the right hand side.

When I add two double quotes to the right of the 'OR' operator, I get the following error: Error in 'format' command: Invalid argument: ''

Re: How can I clean up my Splunk search?

somesoni2 — Tue, 02 Feb 2016 18:46:13 GMT

Try running it with the format command. So just this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports ]

Re: How can I clean up my Splunk search?

phspec — Tue, 02 Feb 2016 21:58:32 GMT

without the format command, the query works. Thanks!

Re: How can I clean up my Splunk search?

phspec — Tue, 02 Feb 2016 22:57:39 GMT

I'm trying to get the query going back 3 days, so I've tried the "gentimes" command formatting as such: gentimes start=1/31/16 end=2/2/16, and I've also tried: gentimes start=-3 end=0 interval=1d, but my query only goes back 1 hour. Could you possibly indicate where my syntax is wrong.