Reporting

How do I create a Firewall Report with Both Destination IP and Destination Port?

Engager

I would like to know how to create a Firewall Deny Report that looks like this.

alt text

Tags (2)

Splunk Employee
Splunk Employee

Hey JR- one way to do that is to do a statistical count of destination ports and destination IPs that have been denied, then chart a sum by the destination ports and destination IPs as they apply.
sourcetype="firewall" action=deny | stats count by dst dst_port | chart sum(count) by dst dst_port. the fields will depend on your extracted fields, but give that a shot, it should do the trick.

Contributor

Any idea on how to use the output of that report but limit the number of IP's to say 5-10 and list them along the bottom?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!