Splunk Search

How to find a host which is missing a specific value?

galindimitrov
Explorer

Hi all,

My question is focused on open ports but the condition applies to a wide range of scenarios. My question is the following:

I need to create alerts for specific ports when they are not open, and my query looks like this

sourcetype=openPorts Port=2000  | search host=*foo*

This checks all the hosts with "foo" in their name for open port 2000. My question is, how do I define a search that returns the hosts that do NOT have the specified port open. When I try to amend the query with eith using "NOT" or "!=" I get all port values that are not 2000. How do I get the results that do not have that value at all?

0 Karma
1 Solution

woodcock
Esteemed Legend

Why is this not sufficient?

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="openPorts"
| stats count(eval(Port="2000")) AS port2000 BY host
| where port2000=="0"

View solution in original post

woodcock
Esteemed Legend

Why is this not sufficient?

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="openPorts"
| stats count(eval(Port="2000")) AS port2000 BY host
| where port2000=="0"

tbavarva
Path Finder

Hi @galindimitrov,

You can create a lookup which contains pattern matching hosts and you can use it in your query.

sourcetype=openPorts Port=2000 | search host=foo NOT [| inputlookup lookup_filename.csv | fields host]

If it helps you, please accept it as an answer.

Regards,
Tejas

0 Karma

galindimitrov
Explorer

I will check tomorrow and let you know, thanks in advance 🙂

0 Karma

tbavarva
Path Finder

Correcting host matching pattern.

sourcetype=openPorts Port=2000 | search host="foo" NOT [| inputlookup lookup_filename.csv | fields host]

Regards,
Tejas

0 Karma

to4kawa
Ultra Champion
sourcetype=openPorts Port IN (80,8080,10080,...)    host=*foo*

Hi, @galindimitrov
I think you can use IN

0 Karma

galindimitrov
Explorer

@to4kawa,
It looks good on a first glance, but in my case I do not believe it is very applicable. For example host X may have the needed port open and it will show in the query, after some time something happens and the port is closed now. Using IN lets me filter by a range, but what I need is to know which host does not have the value in the query, like in the above example port 2000. But if I just look for results in a range then, I will potentially get hosts that also have the port open even though it may not be specified in the query,

0 Karma

to4kawa
Ultra Champion

Give examples of host and port status and indicate when you want results.

sourcetype=openPorts NOT Port IN (80,8080,10080,...)    host=*foo*

I think this is good.

0 Karma

galindimitrov
Explorer
sourcetype=openPorts Port IN (8076,9999,5555,8283,8284,8092,8093,9899)  | search host=*511100471375* | table host Port

https://imgur.com/0qKvapm
This query will return all the hosts with 511100471375 in their names with open ports corresponding to the range given in the IN operator. However that does not mean that port 2000 is not open on any of the hosts in the results. So if my query looks like

    sourcetype=openPorts Port IN 8076,9999,5555,8283,8284,8092,8093,9899,2000)  | search host=*511100471375* | table host Port

I will get the same results as the last query, with an additional entry for each host that has port 2000 open. What I am looking to achieve is to set an alarm to be triggered when a port is no longer open or is not present in the open ports on a given host and I need to see which hosts no longer have the port open. Lets say the logic I am looking for is

sourcetype=openports return hosts that do not have Port=2000| table host Port
0 Karma

to4kawa
Ultra Champion
 sourcetype=openPorts host=*511100471375*
| stats values(Port) as Port by host
| where isnull(mvfind(Port,2000))

This query displays a list of open ports on the host and excludes those that contain port 2000.

0 Karma

galindimitrov
Explorer

Thank you, I will test it out tomorrow and let you know 🙂

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...