Hello everyone.

I'm fairly new to Splunk, I've recently joined a job as a security analist in a SOC where I get to use this cool tool. This question is kind of a continuation to my previos post:

https://community.splunk.com/t5/Splunk-Search/Help-on-query-to-filter-incoming-traffic-to-a-firewall...

I had to make a query to do two things:

• First, look for any potential policy with any ports enabled.
• Second, find out which of these policies were allowing or teardowning request coming from public IP addresses.

For this I came up with this query which does the work imo:

index="sourcedb" sourcetype=fgt_traffic host="external_firewall_ip" action!=blocked 
| eventstats dc(dstport) as different_ports by policyid 
| where different_ports>=5 
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") 
| where source_ip="public" 
| eval policy=if(isnull(policyname),policyid,policyid+" - "+policyname) 
| eval port_list=if(proto=6,"tcp",if(proto=17,"udp","proto"+proto))+"/"+dstport | dedup port_list 
| table source policy different_ports port_list 
| mvcombine delim=", " port_list

However, the problem I'm having is that the port list is being shown like if it was one big list, like this:

1

2

3

4

5

I'd like for it to show like this:

1, 2, 3, 4, 5

I've also tried replacing the table command with a stats delim=", " value(port_list) but I've had no success.

I'd appreciate if you could give me some insight on how could I solve this, I had in mind trying mvjoin but had no clue on how to approach it.

Thanks in advance.