Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to get total hit count value for traffic passing through ANY ANY rule on firewall:

hadiamro
Engager
‎02-21-2019 12:07 AM

I have a firewall which have a rule with any as source destination and ports, I need to monitor this traffic and check what source and destination ips are passing through along with ports/service information. the following coorelation search provide me the perfect results but in huge events with multiple duplicate traffic, I don't want to use dedup command as if will miss some traffic.

index=paloalto-firewall host="firewall IP" rule="any any rule name" | table _time client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action

Expected results I need as table: where as 555 is the total hits for this traffic passing through any any rule.

client_ip | src_zone | dest_ip | dest_zone | dest port |rule | src_interface | dest_interface | action |hit_counts
*192.168.1.1 | Inside_zone | 192.168.2.1 | dmz_zone | 80 | rulename | if1 | fi2 | allowed | 555*

Any help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ashajambagi
Communicator
‎02-21-2019 12:50 AM

does using stats solve the problem?

index=paloalto-firewall host="firewall IP" rule="any any rule name" | stats count by client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action

View solution in original post

Reply
Solved! Jump to solution
Solution

ashajambagi
Communicator
‎02-21-2019 12:50 AM

does using stats solve the problem?

index=paloalto-firewall host="firewall IP" rule="any any rule name" | stats count by client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action
Reply
Solved! Jump to solution

hadiamro
Engager
‎02-21-2019 05:32 AM

Thanks, it does provide the required results.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...