Splunk Search
Highlighted

How can I clean up my Splunk search?

Explorer

How do I clean up the following Splunk search?

index=firewall Destination_Port!=80 Destination_Port!=443 Destination_Port!=8080 Source_Port!=80 Source_Port!=443 Source_Port!=8080 1_Dst_Port!=80 1_Dst_Port!=443 1_Dst_Port!=8080 1_Src_Port!=80 1_Src_Port!=443 1_Src_Port!=8080 1_Dst_Nat_Port!=80 1_Dst_Nat_Port!=443 1_Dst_Nat_Port!=8080 1_Src_Nat_Port!=80 1_Src_Nat_Port!=443 1_Src_Nat_Port!=8080
0 Karma
Highlighted

Re: How can I clean up my Splunk search?

SplunkTrust
SplunkTrust

May something like this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports | format "" "" "" "OR" "" ""]

Just add/update/remove field names and the port numbers in the subsearch.

View solution in original post

0 Karma
Highlighted

Re: How can I clean up my Splunk search?

Explorer

if I wanted the search to go back 3 days, would the "gentimes start=-3d"?

0 Karma
Highlighted

Re: How can I clean up my Splunk search?

SplunkTrust
SplunkTrust

Ohh no. The gentimes is basically an event generator that I use (your can use just the '| stats count' as well there). It has nothing to do with the requirement you've here. The subsearch is generating the dynamic conditions (you can check the normalizedSearch property in Inspect job) from the results of the subsearch. For more details just run the subsearch in a separate search page.

0 Karma
Highlighted

Re: How can I clean up my Splunk search?

Explorer

Also, I get the following error: Error in 'search' command: Unable to parse the search: 'OR' operator is missing a clause on the right hand side.

When I add two double quotes to the right of the 'OR' operator, I get the following error: Error in 'format' command: Invalid argument: ''

0 Karma
Highlighted

Re: How can I clean up my Splunk search?

SplunkTrust
SplunkTrust

Try running it with the format command. So just this

index=firewall NOT [| gentimes start=-1 | eval fields="Destination_Port Source_Port 1_Dst_Port 1_Src_Port 1_Dst_Nat_Port 1_Src_Nat_Port" | eval ports="80 443 8080" | fields fields ports | makemv fields | makemv ports | mvexpand fields | mvexpand ports | eval {fields}=ports | fields - fields ports ]
0 Karma
Highlighted

Re: How can I clean up my Splunk search?

Explorer

without the format command, the query works. Thanks!

0 Karma
Highlighted

Re: How can I clean up my Splunk search?

Explorer

I'm trying to get the query going back 3 days, so I've tried the "gentimes" command formatting as such: gentimes start=1/31/16 end=2/2/16, and I've also tried: gentimes start=-3 end=0 interval=1d, but my query only goes back 1 hour. Could you possibly indicate where my syntax is wrong.

0 Karma