find only values in 2 index files

katmagee · ‎04-20-2020

I have a index of my gcp firewalls (all of them) and I need to take that and match it against another dataset (firewalls allowed - a CSV) and then return the query for just the information that matches the values in the firewalls allowed with data from gcp_firewall index

Thoughts on what I need to add in the index to achieve that? example syntax below:

index=gcp_firewall "data.jsonPayload.connection.src_ip"="*"
| rename data.jsonPayload.connection.src_ip as Source
| rename data.jsonPayload.connection.dest_ip as Destination
| rename data.jsonPayload.connection.dest_port as Port
| rename data.jsonPayload.instance.vm_name as Name
| rename data.jsonPayload.rule_details.reference as firewall
| dedup Source
| table Source Name Destination Port firewall
| stats count by firewall

This returns EVERY firewall in GCP, when i really just want it to return ones that match the allowed firewall csv.

manjunathmeti · ‎04-20-2020

Assuming firewall field exists in the csv file. Here sub search with inputlookup command filters index gcp_firewall with values in firewall.csv file.

index=gcp_firewall "data.jsonPayload.connection.src_ip"="*" 
    [| inputlookup firewall.csv 
    | rename firewall as "data.jsonPayload.rule_details.reference" 
    | fields "data.jsonPayload.rule_details.reference"] 
| rename data.jsonPayload.connection.src_ip as Source 
| rename data.jsonPayload.connection.dest_ip as Destination 
| rename data.jsonPayload.connection.dest_port as Port 
| rename data.jsonPayload.instance.vm_name as Name 
| rename data.jsonPayload.rule_details.reference as firewall 
| stats latest(*) as * by Source 
| table Source Name Destination Port firewall 
| stats count by firewall

find only values in 2 index files

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!