Solved: How to use splunk for data monitoring and alert

Sunjux · ‎06-15-2021

Dear Splunkers:

I use nmap to monitor my device and contain these logs to Splunk,(every 6hrs)

These data only include ip and tcp open port,

E.g:

ip_addr 1.2.3.4
port_list 80\n433\n3389

Now I want to notify me when there is a new tcp port open(Compare the results of the previous two scans,which is the data twelve hours ago )

Which spl syntax should I use? Can someone give me any direction? thank you very much 🙂

Sunjux · ‎06-16-2021

Dear all:

I found the solution in this post

Recommend to people who have the same questions as me!😁

Sunjux · ‎06-16-2021

Dear all:

I found the solution in this post

Recommend to people who have the same questions as me!😁

ITWhisperer · ‎06-15-2021

Can you share some anonymised event as you have them in splunk?

Sunjux · ‎06-15-2021

Hi ,of course!Please refer to the following picture,

I have captured two fields, namely 「ip_add」 and「 port_list」

thanks!

How to use splunk for data monitoring and alert