Splunk Enterprise

Splunk Search Syntax to show service & dstport

Naz_Lightening
Engager

Hi,

I'm running the below syntax on Splunk Enterprise to get traffic logs from Fortigate firewalls:

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| stats count by srcip, dstip, dstport, service, action, date, time, policyid
| dedup srcip dstip dstport service consecutive=true
| sort 0 field

This gives me all TCP & UDP traffic, then I can download & filter in a .csv but doesn't pick up ICMP traffic (specifically icmp type 8). I have to run a separate syntax to get just ICMP as below:

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| stats count by srcip, dstip, service, action, date, time, policyid
| dedup srcip dstip service consecutive=true
| sort 0 field

It seems that because ICMP has no dstport the syntax needs adjusting.

I need is a syntax that will return all traffic, i.e. TCP, UDP & ICMP.

Please advise?

Naz

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try fillnull for the dstport

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| fillnull value=0 dstport
| stats count by srcip, dstip, dstport, service, action, date, time, policyid
| dedup srcip dstip dstport service consecutive=true
| sort 0 field

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try fillnull for the dstport

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept
| fillnull value=0 dstport
| stats count by srcip, dstip, dstport, service, action, date, time, policyid
| dedup srcip dstip dstport service consecutive=true
| sort 0 field

View solution in original post

0 Karma

Naz_Lightening
Engager

@ITWhisperer cheers that's done it nicely!

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Naz_Lightening 

Can you try this SPL? I hope it works without looking at data its a guess let me know how you go.

index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept 
| eval dstport=if(isnull(dstport),"none", dstport) 
| stats count by srcip, dstip, dstport, service, action, date, time, policyid 
| dedup srcip dstip dstport service consecutive=true 
| search dstport!="none"
| sort 0 field

  --

An upvote would be appreciated and Accept solution if this reply helps!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!