Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ASA searching for current open connections that have been Built but with no teardown

FC50
Path Finder
‎12-01-2020 05:49 AM

Hello,

I'm pretty new to SPLUNK and I'm looking for help trying to find ASA open connections between two endpoints.

Most connections I search for have a 'Built' action and then some time after a corresponding 'teardown' action. I'm looking for those connections that have the 'Built' action  but not the 'teardown' action.

The basic search I have pulls down all of the connections between the two:. 

index="cisco" src_ip="10.55.45.12" dest_ip="10.65.45.20" dest_port=445

Is there a way to expand this search to find  these open connections based on the absence of a teardown?  

Is there a way to 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2020 10:03 AM

I've tweaked my answer to only look for allowed and teardown actions and then leave only those sessions with the most recent action of "allowed".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

FC50
Path Finder
‎12-07-2020 05:40 AM

Cool, thanks. That seems to have done the trick

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-01-2020 09:44 AM

Here's one way to do that.

index="cisco" src_ip="10.55.45.12" dest_ip="10.65.45.20" dest_port=445
| dedup session,action
| where action="built"

It assumes there is a field called "session" that uniquely identifies a connection between the two points.  Change that to match whatever you have in your data.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

FC50
Path Finder
‎12-04-2020 09:41 AM

Thanks for the response but no joy unfortunately.

It's still bringing up the thousands of results with the allowed action (I mistakenly called it built earlier) , and not showing just the few that only had the allowed action and not a corresponding teardown.

The allowed and teardown options do share a field called 'session_id' which is a long number

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2020 10:03 AM

I've tweaked my answer to only look for allowed and teardown actions and then leave only those sessions with the most recent action of "allowed".

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...