so im trying to find outside IP addresses hiting our firewall and seeing if they have been blocked or not. is there a script i can run to find them?
i have this one im trying index="firewall" src_ip=( IP address here ) and i get nothing
any help will be appreciated
thanks for the answer, but it did not pull what i need, for some reason its only showing 7 days and nothing for the past 2 days
You can run a broader search of that IP address to see where it's being captured and fields it's assigned to.
First try search the ip_address against your firewall index:
If above doesn't show results, run a global search by specifying only the ip address
ok so i have confirmed that the ports are listening and the firewall is talking to splunk, but splunk is doing nothing with the logs. any ideas?