Splunk Search

How to generate a search to monitor Palo Alto firewall logs?

New Member

Can someone help out with a search for the below context:

1) Need to get all the public IPs having blocked traffic (with blocked log count >100 )
2) IPs identified in step 1 should also have an allowed connection(count>1) through the firewall.

Please let me know the search? This search need to be used for Palo Alto Firewall logs. Thanks in advance.

0 Karma

Splunk Employee
Splunk Employee

Do you mean something with that kind of logic:

tag=network 
| stats count(eval(action=="failure")) as failure, count(eval(action=="success")) as success by src
| search failure > 100 success > 1
0 Karma

Motivator

Hi there,

Do you mind sharing some sample data to work with ?

0 Karma