Getting Data In

Splunk whitelisting ports as csv

soesia12
New Member

Hey!

I'm trying to make a search that takes all values from my whitelist and compares them to all destination ports. The goal of this search is to see, if a port that is not whitelisted is used. To accomplish this i want to evaluate the distinct count of all destination ports and compare this value to the distinct count of the destination ports that match the whitelist.

My search is as follows:

| inputlookup ports.csv | eval port=Ports | append [search sourcetype=syslog dst_port!="" | eval destination=dst_port]|stats distinct_count(destination) as unique_ports| stats distinct_count(destination) as matches|where destintation = port|table unique_ports, matches

When i try to run the search no data is found...

Thanks.

0 Karma

starcher
SplunkTrust
SplunkTrust

sourcetype=syslog dst_port=*| lookup ports.csv port as dst_port OUTPUTNEW port as isWhitelist | where isnull(isWhitelist)

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...