Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search Syntax to show service & dstport

Naz_Lightening
Engager
‎07-15-2021 04:18 AM

Hi,

I'm running the below syntax on Splunk Enterprise to get traffic logs from Fortigate firewalls:

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| stats count by srcip, dstip, dstport, service, action, date, time, policyid
| dedup srcip dstip dstport service consecutive=true
| sort 0 field

This gives me all TCP & UDP traffic, then I can download & filter in a .csv but doesn't pick up ICMP traffic (specifically icmp type 8). I have to run a separate syntax to get just ICMP as below:

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| stats count by srcip, dstip, service, action, date, time, policyid
| dedup srcip dstip service consecutive=true
| sort 0 field

It seems that because ICMP has no dstport the syntax needs adjusting.

I need is a syntax that will return all traffic, i.e. TCP, UDP & ICMP.

Please advise?

Naz

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2021 04:52 AM

Try fillnull for the dstport

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| fillnull value=0 dstport
| stats count by srcip, dstip, dstport, service, action, date, time, policyid
| dedup srcip dstip dstport service consecutive=true
| sort 0 field

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2021 04:52 AM

Try fillnull for the dstport

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| fillnull value=0 dstport
| stats count by srcip, dstip, dstport, service, action, date, time, policyid
| dedup srcip dstip dstport service consecutive=true
| sort 0 field
0 Karma
Reply
Solved! Jump to solution

Naz_Lightening
Engager
‎07-15-2021 06:29 AM

@ITWhisperer cheers that's done it nicely!

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎07-15-2021 04:40 AM

Hi @Naz_Lightening 

Can you try this SPL? I hope it works without looking at data its a guess let me know how you go.

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept 
| eval dstport=if(isnull(dstport),"none", dstport) 
| stats count by srcip, dstip, dstport, service, action, date, time, policyid 
| dedup srcip dstip dstport service consecutive=true 
| search dstport!="none"
| sort 0 field

  --

An upvote would be appreciated and Accept solution if this reply helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...