I am attempting to create a visualization showing outgoing traffic from my firewall showing the destination IPs and ports. I'm limiting the time range to 15 minutes or less. The goal is to get a picture of the kind of traffic going out of the network and where.
I've attempted to use Pivot but I'm not sure what to use as filters to get the desired output. Any suggestions?
Thanks niketnilay! It may take a while before I can get approvals to download and test out apps in my splunk cloud instance. So I have to ask... does any of these sort by ports? They seem to show node-to-node visualization. I'd like to see what traffic is going out to destination port 22, 25, 53, 80, and so on.
I have not used
Afterglow myself, but the other two I can list the query output expectations
Network Topology - Custom Visualization, expects 5 columns which could be
<YourBaseSearch> | table sourceHost sourcePort targetHost targetPort linkType
Sankey Custom Visualization expects stats like count, avg(bytes) for source and destination combination. It can have a circular dependency.
<YourBaseSearch> | stats count, avg(bytes) by source destintion
If you have source and destination latitude and longitude, you can use
Missile Map Visualization: https://splunkbase.splunk.com/app/3511/
So you can choose based on what data you can get from your logged events.
@geoffmx, in order to test and confirm whether these apps are good fit for your use case or not, you can try out these Apps on your local machine (may be monitor your home network traffic). These Apps come with built in examples as well.
@geoffmx, If you have tried the visualizations and have found any one working as per your use case, please remember to Accept my original answers and up vote and comments that helped.
Try one of the following custom visualizations:
Network Topology - Custom Visualization: https://splunkbase.splunk.com/app/3762/
Afterglow App - https://splunkbase.splunk.com/app/277/
Sankey Custom Visualization - https://splunkbase.splunk.com/app/3112/