Getting Data In

Splunk whitelisting ports as csv

New Member


I'm trying to make a search that takes all values from my whitelist and compares them to all destination ports. The goal of this search is to see, if a port that is not whitelisted is used. To accomplish this i want to evaluate the distinct count of all destination ports and compare this value to the distinct count of the destination ports that match the whitelist.

My search is as follows:

| inputlookup ports.csv | eval port=Ports | append [search sourcetype=syslog dstport!="" | eval destination=dstport]|stats distinctcount(destination) as uniqueports| stats distinctcount(destination) as matches|where destintation = port|table uniqueports, matches

When i try to run the search no data is found...


0 Karma


sourcetype=syslog dstport=*| lookup ports.csv port as dstport OUTPUTNEW port as isWhitelist | where isnull(isWhitelist)

0 Karma