Splunk Search

This delim in my query is not working, how could I possibly solve this problem?

Berfomet96
Explorer

Hello everyone.

I'm fairly new to Splunk, I've recently joined a job as a security analist in a SOC where I get to use this cool tool. This question is kind of a continuation to my previos post:

https://community.splunk.com/t5/Splunk-Search/Help-on-query-to-filter-incoming-traffic-to-a-firewall...

I had to make a query to do two things:

  • First, look for any potential policy with any ports enabled.
  • Second, find out which of these policies were allowing or teardowning request coming from public IP addresses.

For this I came up with this query which does the work imo:

 

index="sourcedb" sourcetype=fgt_traffic host="external_firewall_ip" action!=blocked 
| eventstats dc(dstport) as different_ports by policyid 
| where different_ports>=5 
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") 
| where source_ip="public" 
| eval policy=if(isnull(policyname),policyid,policyid+" - "+policyname) 
| eval port_list=if(proto=6,"tcp",if(proto=17,"udp","proto"+proto))+"/"+dstport | dedup port_list 
| table source policy different_ports port_list 
| mvcombine delim=", " port_list

 

However, the problem I'm having is that the port list is being shown like if it was one big list, like this:

1

2

3

4

5

I'd like for it to show like this:

1, 2, 3, 4, 5

I've also tried replacing the table command with a stats delim=", " value(port_list) but I've had no success.

I'd appreciate if you could give me some insight on how could I solve this, I had in mind trying mvjoin but had no clue on how to approach it.

Thanks in advance.

Labels (3)
Tags (3)
0 Karma
1 Solution

venky1544
Builder

Hi @Berfomet96 

just try the nomv command after your delim command it should work it will convert the values of the specified multivalue field into one single value

|mvcombine delim="," port_list |nomv portlist

Example 

|makeresults |eval port_list="1"
|append [|makeresults |eval port_list="2"]
|append [|makeresults |eval port_list="3"] |fields - _time | mvcombine delim="," port_list
| nomv port_list

 

Nots: if it helps karma is appreciated/if it resolves acceptance of solution is appreciated

View solution in original post

venky1544
Builder

Hi @Berfomet96 

just try the nomv command after your delim command it should work it will convert the values of the specified multivalue field into one single value

|mvcombine delim="," port_list |nomv portlist

Example 

|makeresults |eval port_list="1"
|append [|makeresults |eval port_list="2"]
|append [|makeresults |eval port_list="3"] |fields - _time | mvcombine delim="," port_list
| nomv port_list

 

Nots: if it helps karma is appreciated/if it resolves acceptance of solution is appreciated

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...