I am looking to build a static lookup table for Firewall ACL lookup. Essentially, I would like the lookup to match on dstport and determine if the port matches an existing acl rule name. I have an any-any rule that I'm trying to clean-up and the idea is to have Splunk tell me if the dstport matches an existing acl rule entry. If no rule match is made, then the connection is permitted via an any-any rule.
I'm looking to match on dstport. In this example, traffic connections on 80, 53 would match rulename like in the example below.
The idea is, if traffic connections do not match on a specific entry, then state something like this: