Using fireall logs to find hosts that do not use a...

john_byun · ‎06-23-2020

I have the following query for PAN firewall logs:

index=pan app=ssl

| stats count by src

This would give me a list of all src IPs of devices that use SSL. How would I create a query to give me the opposite results? I want the list of src IPs that never have SSL traffic.

DalJeanis · ‎06-23-2020

Here's one way:

index=pan app=*
| stats count by src app
| where app!="ssl"

Here's another:

index=pan app!="ssl"
| stats count by src

john_byun · ‎06-23-2020

I am looking to list all src's that do not use ssl. Your query basically gives me the same results because all src's use multiple apps.

Is there a way to do this without me doing a massive diff of tens of thousands of results?

DalJeanis · ‎06-26-2020

Try this

index=pan app=*
| stats count values(app) as app by src
| where NOT (app="ssl")

Using fireall logs to find hosts that do not use a specific protocol

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation