Splunk Search

Need Assistance combining 2 searches from different indexes

Path Finder

I am trying to piece together a search that shows all allowed connections that originate from our web proxies and pass through our perimeter firewalls on ports that are not 80 and 443.

Here is the search I have so far that doesnt seem to be showing the data correctly:

index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19) 
| append [search index=*proxy action=allowed (port!=80 AND port!=443) | rename port AS dest_port | table action,dest_ip, dest_port, dest] 
| stats dc(dest_ip) by dest_ip, dest_port, dest, action, index
| sort -dest_port, dest_ip
| table index,action,dest_ip, dest_port, dest

Here is what I am wanting to see:

1. Action   Dest_IP    Dest_Port   Dest(Domain) 
   Allowed  175.x.x.x  9009        anydomain.com

The action, dest_ip and dest_port appear in the firewall index
The action, dest_ip, port (renamed to dest_port in search) and dest appear in the proxy index.

0 Karma

Path Finder

This search is returning results but not confident this is the best path and still need to validate the data is good.

(index=*proxy action=allowed (host=Proxy0* OR host=AnotherProxy*) AND (port!=80 AND port!=443)) OR (index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19)) 
| rename port AS dest_port
| stats dc(dest_ip) by dest_ip, dest_port, action, dest, url
| dedup dest
| sort -dest_port, dest_ip
| table action,dest_ip, dest_port, dest, url

Edit: typo

0 Karma

SplunkTrust
SplunkTrust

You do not, at the current point, have any information linking the data in the two indexes. Are these two parts of a single transaction (list all the firewall events together with their related proxy events) , or are they separate items that you are putting together (list all the firewall events, list all the proxy events).

0 Karma

Path Finder

I am wanting to list all firewall events and their related proxy events. Matching the destination ip from the firewall to the destination ip from the proxy and showing the associated web site.

0 Karma