Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to raise the alert for sourcetype=netstat

sarvesh_11
Communicator
‎11-13-2019 03:20 AM

Hi Splunker,

How can i Write the splunk query to show the state of a port for local address? The result of netstat is for the whole ports on the particular server, and the results be like:

Proto Recv-Q Send-Q LocalAddress ForeignAddress State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

Now in this case, how shall i write the query if the State for port 111 changes from Listen to CLOSED_WAIT or Closed etc...?

Reply

SinghK
Builder
‎12-03-2021 04:40 AM

Put that in a table for all the fields and search for State!= Listen

0 Karma
Reply

SinghK
Builder
‎12-03-2021 04:41 AM

| table .....| search state!=Listen

0 Karma
Reply

lbruhns
Explorer
‎12-02-2021 11:59 AM

came here for same question

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...