Splunk Search

Can you help me figure out the best way to write the following query?

sherrysafdar
Explorer

Kindly provide a better way to write the query in the below example.

Also, one more thing I need help with is the hit count on destination port.

index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="*" src_port="*" dest_zone=DMZ dest_ip="*" dest_port="*"  
| iplocation src_ip 
| table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport
| eval protocol=transport+"/"+dest_port
| fields - dest_port, transport

Thanks,

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@sherrysafdar,

Your search seems to be right except the table which could be replaced by fields. However, it depends on whats the final result you want to achieve - probably a statistics with the data available.

To get a count of destination port in each event, you may add eventstats by dest_port to the search .

index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="" src_port="" dest_zone=DMZ dest_ip="" dest_port="" 
| iplocation src_ip 
| table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport
| eval protocol=transport+"/"+dest_port
| eventstats count by dest_port
| fields - transport

Happy to assist further.

View solution in original post

0 Karma

jvishwak
Path Finder

One suggestion, you can have table command in last, and fields command as early as in query.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sherrysafdar,

Your search seems to be right except the table which could be replaced by fields. However, it depends on whats the final result you want to achieve - probably a statistics with the data available.

To get a count of destination port in each event, you may add eventstats by dest_port to the search .

index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="" src_port="" dest_zone=DMZ dest_ip="" dest_port="" 
| iplocation src_ip 
| table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport
| eval protocol=transport+"/"+dest_port
| eventstats count by dest_port
| fields - transport

Happy to assist further.

View solution in original post

0 Karma

sherrysafdar
Explorer

Awesome, it worked like a charm, thanks!

0 Karma

jvishwak
Path Finder

you are searching for dest_port with blank value, and then doing event stats on it? will it give any result?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jvishwak, Just FYI - its not empty in real search but it has been sanitized to remove potential confidential elements.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!