Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert when firewall stops reporting to syslog

te25
Engager
‎05-19-2025 04:40 AM

Hello. 
I am working on creating an alert in Splunk for detecting when a firewall stops sending logs. We have all logs from firewalls forwarded to syslog in Splunk as sourcetype=pan:traffic . The problem is we have ha-pairs/ active and passive firewall and I don't see how to construct the query to check when BOTH firewalls (let's say active city-fw01 and passive city-fw02) don't send logs. We have more than 100 devices so I am using a lookup table with the list. 
Any idea would be great, thanks.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎05-19-2025 04:58 AM

Hi @te25 

This might work, it assumes the lookup has a list of firewalls with a "host" field:

| inputlookup firewall_lookup.csv 
| eval reported=0 
| append 
    [ search index=yourIndex sourcetype=pan:traffic earliest=-15m 
    | stats count by host 
    | eval reported=1 
    | fields firewall reported ] 
| stats max(reported) as reported by host 
| rex field=host "(?<pair>[^0-9]+)"
| stats sum(reported) as reporting_count, values(host) as firewalls by pair 
| where reporting_count=0 
| table pair firewalls

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎05-19-2025 07:46 AM

Hi

here is list of different articles how this can do in splunk.

There are a lot of options for finding hosts or sources that stop submitting events:

Some helpful posts:

 

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎05-19-2025 04:58 AM

Hi @te25 

This might work, it assumes the lookup has a list of firewalls with a "host" field:

| inputlookup firewall_lookup.csv 
| eval reported=0 
| append 
    [ search index=yourIndex sourcetype=pan:traffic earliest=-15m 
    | stats count by host 
    | eval reported=1 
    | fields firewall reported ] 
| stats max(reported) as reported by host 
| rex field=host "(?<pair>[^0-9]+)"
| stats sum(reported) as reporting_count, values(host) as firewalls by pair 
| where reporting_count=0 
| table pair firewalls

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2025 04:48 AM

Have your lookup return the common name for the ha pair and detect when the pair has not sent logs (recently)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...