As the title says, I have a list of subnets and I would like to create a search which would show traffic (using Palo logs) passing through those subnets. It should still show those subnets that had no traffic.
I am using below query but it doesn't return results of those subnets with 0 traffic.
If anyone can help with a better version of this query with a lookup and possibly using datamodels, that would be great.
index=palo sourcetype=pan:log
|eval stan=case(cidrmatch("10.0.0.0/24",src),"stanA"),(cidrmatch("10.0.1.0/24",src),"stanB"),(cidrmatch("10.0.2.0/24",src),"stanC")
|stats count by stan
Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.
https://www.duanewaddle.com/proving-a-negative/