Hey!
I'm trying to make a search that takes all values from my whitelist and compares them to all destination ports. The goal of this search is to see, if a port that is not whitelisted is used. To accomplish this i want to evaluate the distinct count of all destination ports and compare this value to the distinct count of the destination ports that match the whitelist.
My search is as follows:
| inputlookup ports.csv | eval port=Ports | append [search sourcetype=syslog dst_port!="" | eval destination=dst_port]|stats distinct_count(destination) as unique_ports| stats distinct_count(destination) as matches|where destintation = port|table unique_ports, matches
When i try to run the search no data is found...
Thanks.
sourcetype=syslog dst_port=*| lookup ports.csv port as dst_port OUTPUTNEW port as isWhitelist | where isnull(isWhitelist)