Getting Data In

Splunk whitelisting ports as csv

New Member


I'm trying to make a search that takes all values from my whitelist and compares them to all destination ports. The goal of this search is to see, if a port that is not whitelisted is used. To accomplish this i want to evaluate the distinct count of all destination ports and compare this value to the distinct count of the destination ports that match the whitelist.

My search is as follows:

| inputlookup ports.csv | eval port=Ports | append [search sourcetype=syslog dst_port!="" | eval destination=dst_port]|stats distinct_count(destination) as unique_ports| stats distinct_count(destination) as matches|where destintation = port|table unique_ports, matches

When i try to run the search no data is found...


0 Karma


sourcetype=syslog dst_port=*| lookup ports.csv port as dst_port OUTPUTNEW port as isWhitelist | where isnull(isWhitelist)

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...