- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need Assistance combining 2 searches from diff...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need Assistance combining 2 searches from different indexes
I am trying to piece together a search that shows all allowed connections that originate from our web proxies and pass through our perimeter firewalls on ports that are not 80 and 443.
Here is the search I have so far that doesnt seem to be showing the data correctly:
index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19)
| append [search index=*proxy action=allowed (port!=80 AND port!=443) | rename port AS dest_port | table action,dest_ip, dest_port, dest]
| stats dc(dest_ip) by dest_ip, dest_port, dest, action, index
| sort -dest_port, dest_ip
| table index,action,dest_ip, dest_port, dest
Here is what I am wanting to see:
1. Action Dest_IP Dest_Port Dest(Domain)
Allowed 175.x.x.x 9009 anydomain.com
The action, dest_ip and dest_port appear in the firewall index
The action, dest_ip, port (renamed to dest_port in search) and dest appear in the proxy index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search is returning results but not confident this is the best path and still need to validate the data is good.
(index=*proxy action=allowed (host=Proxy0* OR host=AnotherProxy*) AND (port!=80 AND port!=443)) OR (index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19))
| rename port AS dest_port
| stats dc(dest_ip) by dest_ip, dest_port, action, dest, url
| dedup dest
| sort -dest_port, dest_ip
| table action,dest_ip, dest_port, dest, url
Edit: typo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do not, at the current point, have any information linking the data in the two indexes. Are these two parts of a single transaction (list all the firewall events together with their related proxy events) , or are they separate items that you are putting together (list all the firewall events, list all the proxy events).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am wanting to list all firewall events and their related proxy events. Matching the destination ip from the firewall to the destination ip from the proxy and showing the associated web site.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
