How do I clean up the following Splunk search?
index=firewall Destination_Port!=80 Destination_Port!=443 Destination_Port!=8080 Source_Port!=80 Source_Port!=443 Source_Port!=8080 1_Dst_Port!=80 1_Dst_Port!=443 1_Dst_Port!=8080 1_Src_Port!=80 1_Src_Port!=443 1_Src_Port!=8080 1_Dst_Nat_Port!=80 1_Dst_Nat_Port!=443 1_Dst_Nat_Port!=8080 1_Src_Nat_Port!=80 1_Src_Nat_Port!=443 1_Src_Nat_Port!=8080
May something like this
index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports | format "" "" "" "OR" "" ""]
Just add/update/remove field names and the port numbers in the subsearch.
May something like this
index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports | format "" "" "" "OR" "" ""]
Just add/update/remove field names and the port numbers in the subsearch.
without the format command, the query works. Thanks!
I'm trying to get the query going back 3 days, so I've tried the "gentimes" command formatting as such: gentimes start=1/31/16 end=2/2/16, and I've also tried: gentimes start=-3 end=0 interval=1d, but my query only goes back 1 hour. Could you possibly indicate where my syntax is wrong.
Also, I get the following error: Error in 'search' command: Unable to parse the search: 'OR' operator is missing a clause on the right hand side.
When I add two double quotes to the right of the 'OR' operator, I get the following error: Error in 'format' command: Invalid argument: ''
Try running it with the format command. So just this
index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports ]
if I wanted the search to go back 3 days, would the "gentimes start=-3d"?
Ohh no. The gentimes is basically an event generator that I use (your can use just the '| stats count' as well there). It has nothing to do with the requirement you've here. The subsearch is generating the dynamic conditions (you can check the normalizedSearch property in Inspect job) from the results of the subsearch. For more details just run the subsearch in a separate search page.