Splunk Search

Can you help me figure out the best way to write the following query?

sherrysafdar
Explorer

Kindly provide a better way to write the query in the below example.

Also, one more thing I need help with is the hit count on destination port.

index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="*" src_port="*" dest_zone=DMZ dest_ip="*" dest_port="*"  
| iplocation src_ip 
| table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport
| eval protocol=transport+"/"+dest_port
| fields - dest_port, transport

Thanks,

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@sherrysafdar,

Your search seems to be right except the table which could be replaced by fields. However, it depends on whats the final result you want to achieve - probably a statistics with the data available.

To get a count of destination port in each event, you may add eventstats by dest_port to the search .

index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="" src_port="" dest_zone=DMZ dest_ip="" dest_port="" 
| iplocation src_ip 
| table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport
| eval protocol=transport+"/"+dest_port
| eventstats count by dest_port
| fields - transport

Happy to assist further.

Happy Splunking!

View solution in original post

0 Karma

jvishwak
Path Finder

One suggestion, you can have table command in last, and fields command as early as in query.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sherrysafdar,

Your search seems to be right except the table which could be replaced by fields. However, it depends on whats the final result you want to achieve - probably a statistics with the data available.

To get a count of destination port in each event, you may add eventstats by dest_port to the search .

index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="" src_port="" dest_zone=DMZ dest_ip="" dest_port="" 
| iplocation src_ip 
| table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport
| eval protocol=transport+"/"+dest_port
| eventstats count by dest_port
| fields - transport

Happy to assist further.

Happy Splunking!
0 Karma

sherrysafdar
Explorer

Awesome, it worked like a charm, thanks!

0 Karma

jvishwak
Path Finder

you are searching for dest_port with blank value, and then doing event stats on it? will it give any result?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jvishwak, Just FYI - its not empty in real search but it has been sanitized to remove potential confidential elements.

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...