Currently I have splunk injecting AWS logs showing NACL's. Each event has an array that is called network_acl_entries. This is a list of objects, each object has a cidr/block field and rule_action field.
I'm trying to display in a table each rule that is not a deny on subnet 0.0.0.0/0. I can't find a way to remove the entire object from the list if network_acl_entires.cidr_block=0.0.0.0/0 and network_acl_entires.rule_action="allow". There's not a way to correlate the data.
I put them in a table, and I can individually remove all Deny's but it still lists those cidr's associated with the denys.
The table for the search looks like:
index=__aws aws_account_id="*" region="*" source="*:vpc_network_acls" sourcetype="aws:description"
| dedup associations{}.id
| rename network_acl_entries{}.cidr_block as cidr, network_acl_entries{}.egress as egress, network_acl_entries{}.rule_action as rule, associations{}.subnet_id as subnet, network_acl_entries{}.port_range.to_port as "to port", network_acl_entries{}.port_range.from_port as "from port", network_acl_entries{}.rule_number as rule_Number
| table index account_id vpc_id tags.Name id subnet rule_Number cidr, egress, rule, "to port", "from port"
Each row in the table is a separate vpc that lists all NACL's and the cidr's that are open/closed.
Can you Apply stats to expand multi-value field to multiple events and then apply search to remove what ever you would like to.
for example:
if you have have field A and it contains two values allow,deny in single event.
do stats by FIELD A , you will get two results then you can apply filter to remove allow or deny.