Security & the Enterprise
Much secured. So patch!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval match value if port=3389 between 2 fields.

swengroeneveld
Explorer
‎02-09-2021 01:12 AM


Good morning to you all,

In the same index I have 2 fields called port1 and port2.
Port1 and Port2 can both have values between 0-65535.

I want determine if there is port 3389.

This is part of the solwarwinds recommendation list (outward facing ports) from CISA.
Pretty much I am stuck with match or between or if in the eval (not my strong suit).

Your feedback is valued so thanks in advance!

0 Karma
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2021 02:08 AM

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2021 02:08 AM

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2021 01:30 AM

I couldn't get your need. Could you please describe more? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Solved! Jump to solution

swengroeneveld
Explorer
‎02-09-2021 01:38 AM

Sure, the result should be something like:

port1port2 RDPport
065535TRUE
33893389TRUE
2222FALSE
443443FALSE
01023FALSE
102365535TRUE

 

Does this make it more clear?

0 Karma
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2021 01:21 AM

Hi @swengroeneveld,

You can use below query;

| search port1=3389 OR port2=3389
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Solved! Jump to solution

swengroeneveld
Explorer
‎02-09-2021 01:23 AM

True, but that does not take in account if

port1 = 0 AND port2=4400

OR

port1 =3388 AND port2 = 65535

0 Karma
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...