Solved: Re: How to import a list of IP and port pairs, the...

pwqs · ‎12-07-2015

I regularly generate a list of IP addresses and port pairs for which I should see traffic, and I log firewall traffic in Splunk. Is there a way that I can import that list of IP/port pairs and then compare against the firewall logs to generate statistics? I'm particularly interested in low/no results, i.e. IP/port pairs which should be seen, but haven't been. The comparison itself is simple, it's using the externally-generated list that I'm struggling with. I can create a lookup table, but I'm not sure how to compare the logs against that lookup table.

Any thoughts?

sundareshr · ‎12-07-2015

If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this

sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...

View solution in original post

sundareshr · ‎12-07-2015

If you have a iplist_lookup lookup table with a field called ipaddress, you could do something like this

sourcetype="network_logs" | join ipaddress [|inputlookup iplist_lookup] | stats ...

pwqs · ‎12-07-2015

This works almost perfectly, however I can't work out how to display where the count is zero.

sundareshr · ‎12-07-2015

Change the order and do a join

|inputlookup iplist_lookup | join type=outer ipaddress  [search sourcetype="network_logs"  | stats count by ipaddress] | fillnull value=0 count

pwqs · ‎12-07-2015

Perfect, thanks!

How to import a list of IP and port pairs, then compare this against firewall logs to generate statistics?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!