We are trying to monitor Firewall events from' X ' Environment coming to Splunk. I took the all hosts (600 hosts) related to 'X' environment and created lookup. I am able to see all events with below search but the search is too expensive and takes almost 15 minutes. For security reasons I took all names of index and Ips .When i search I included them. Can any one help with the search?
index=test1 OR index=test2* OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) | lookup hostlist.csv IP as dest | search list=y | dedup dest_port src_ip dest_ip host rule | table dest_port src_ip dest_ip host rule list
Sorry that this is not an answer more some ideas, but
“Some trusted people were chatting...here you go. Don’t mind the ‘what the hell is this’ commentary” 🙂
If you wonder about who the trusted people were, some of these guys https://www.splunk.com/blog/2017/09/26/the-splunktrust-2018-in-all-its-fezzed-glory.html
Thanks @ MuS .I very lucky and happy that Splunk trust team replied me .I believe 600 hosts so it is taking that long to check hosts for only 4 hours of data .
Okay some options here:
NOTinstead search for exactly what you want
[ | inputlookup hotlist.csv | dedup host | table host | format ]this will create a group of
((host=x) OR (host=y) OR ...and speeds up the search
What is a lookup for ”lookup hostlist.csv IP as dest ”?
index=test1 OR index=test2* OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) [|inputlookup hostlist.csv|fields IP|rename IP as dest ]
Use TERM for IP search
srcip=TERM(184.108.40.206) OR srcip=TERM(220.127.116.11)
Using fields reduces the required fields.
table xxx,xxx->fields xxx,xxx
try searching for ASA instead. you may need to define a lookup csv containing your ASA codes
e.g. my csv contains
106027 %ASA-4-106027 Error Yes Port 107001 %ASA-1-107001 Error Yes Attempt 107002 %ASA-1-107002 Error Yes Attempt 109017 %ASA-4-109017 Error Yes DoS https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html