- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- This delim in my query is not working, how could I...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone.
I'm fairly new to Splunk, I've recently joined a job as a security analist in a SOC where I get to use this cool tool. This question is kind of a continuation to my previos post:
I had to make a query to do two things:
- First, look for any potential policy with any ports enabled.
- Second, find out which of these policies were allowing or teardowning request coming from public IP addresses.
For this I came up with this query which does the work imo:
index="sourcedb" sourcetype=fgt_traffic host="external_firewall_ip" action!=blocked
| eventstats dc(dstport) as different_ports by policyid
| where different_ports>=5
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public")
| where source_ip="public"
| eval policy=if(isnull(policyname),policyid,policyid+" - "+policyname)
| eval port_list=if(proto=6,"tcp",if(proto=17,"udp","proto"+proto))+"/"+dstport | dedup port_list
| table source policy different_ports port_list
| mvcombine delim=", " port_list
However, the problem I'm having is that the port list is being shown like if it was one big list, like this:
1
2
3
4
5
I'd like for it to show like this:
1, 2, 3, 4, 5
I've also tried replacing the table command with a stats delim=", " value(port_list) but I've had no success.
I'd appreciate if you could give me some insight on how could I solve this, I had in mind trying mvjoin but had no clue on how to approach it.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Berfomet96
just try the nomv command after your delim command it should work it will convert the values of the specified multivalue field into one single value
|mvcombine delim="," port_list |nomv portlist
Example
|makeresults |eval port_list="1"
|append [|makeresults |eval port_list="2"]
|append [|makeresults |eval port_list="3"] |fields - _time | mvcombine delim="," port_list
| nomv port_list
Nots: if it helps karma is appreciated/if it resolves acceptance of solution is appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Berfomet96
just try the nomv command after your delim command it should work it will convert the values of the specified multivalue field into one single value
|mvcombine delim="," port_list |nomv portlist
Example
|makeresults |eval port_list="1"
|append [|makeresults |eval port_list="2"]
|append [|makeresults |eval port_list="3"] |fields - _time | mvcombine delim="," port_list
| nomv port_list
Nots: if it helps karma is appreciated/if it resolves acceptance of solution is appreciated
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
Incident Response: Reduce Incident Recurrence with Automated Ticket Creation
