Security & the Enterprise
Much secured. So patch!

Eval match value if port=3389 between 2 fields.

swengroeneveld
Explorer


Good morning to you all,

In the same index I have 2 fields called port1 and port2.
Port1 and Port2 can both have values between 0-65535.

I want determine if there is port 3389.

This is part of the solwarwinds recommendation list (outward facing ports) from CISA.
Pretty much I am stuck with match or between or if in the eval (not my strong suit).

Your feedback is valued so thanks in advance!

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

I think below should work;

| eval RDPport=if(port1<=3389 AND port2>=3389,"TRUE","FALSE")
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

I couldn't get your need. Could you please describe more? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

swengroeneveld
Explorer

Sure, the result should be something like:

port1port2 RDPport
065535TRUE
33893389TRUE
2222FALSE
443443FALSE
01023FALSE
102365535TRUE

 

Does this make it more clear?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @swengroeneveld,

You can use below query;

| search port1=3389 OR port2=3389
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

swengroeneveld
Explorer

True, but that does not take in account if

port1 = 0 AND port2=4400

OR

port1 =3388 AND port2 = 65535

0 Karma
Get Updates on the Splunk Community!

Notification Email Migration Announcement

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email Service (SES) ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...