Splunk Search

Using fireall logs to find hosts that do not use a specific protocol

john_byun
Path Finder

I have the following query for PAN firewall logs:

index=pan app=ssl

| stats count by src

This would give me a list of all src IPs of devices that use SSL.  How would I create a query to give me the opposite results?  I want the list of src IPs that never have SSL traffic.

Labels (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's one way:

index=pan app=*
| stats count by src app
| where app!="ssl"

 

Here's another:

index=pan app!="ssl"
| stats count by src

 

0 Karma

john_byun
Path Finder

I am looking to list all src's that do not use ssl.  Your query basically gives me the same results because all src's use multiple apps.

Is there a way to do this without me doing a massive diff of tens of thousands of results?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this

index=pan app=*
| stats count values(app) as app by src
| where NOT (app="ssl")

 

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...