Splunk Search

How do you search port ranges and match to service?


Hi Guys,

I hope someone can help me?

I'm looking to search through several port ranges and match against one or multiple services that the port ranges match.

For example:

From_Port To_Port            Service
3600            3389                MySQL RDP

Right now, my search is only matching on the first value which is MySQL and not MySQL and RDP.

Does anyone have a smart way of doing this? I believe you can use a lookup, but you need to specific each port and the ranges are massive.


0 Karma

Esteemed Legend

Create a lookup called AppPortLookup which has entries like this:

app    port
ssl    443,8443
http   80,443

Then, you can do something like this:

| tstats summariesonly=true count min(_time) AS firstTime max(_time) AS lastTime 
FROM datamodel=Network_Traffic 
   [|inputlookup AppPortLookup 
   | rename app AS All_Traffic.app
   | rename port AS All_Traffic.dest_port
   | format
   | rex field=search mode=sed "s/AND \"All_Traffic.dest_port\"=/AND NOT \"All_Traffic.dest_port\" IN(/g s/ \) /) ) /g s/,/\",\"/g" ]
BY All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port
0 Karma

Ultra Champion

A lookup is a good approach for this - but yes you would need to specify each of the ports to make the reporting comprehensive, and there are a number of services which share ports with other applications. However you can download a ready made CSV list of all the assigned ports from here:


This would give you a head start, but if you have custom apps/services you may want to consider manually adding these to your lookup.

Also - this file is quite big, so you may wish to consider loading it into KV store instead of a CSV lookup.

If my comment helps, please give it a thumbs up!
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>