Splunk Search

Using fireall logs to find hosts that do not use a specific protocol

john_byun
Path Finder

I have the following query for PAN firewall logs:

index=pan app=ssl

| stats count by src

This would give me a list of all src IPs of devices that use SSL.  How would I create a query to give me the opposite results?  I want the list of src IPs that never have SSL traffic.

Labels (1)
0 Karma

DalJeanis
Legend

Here's one way:

index=pan app=*
| stats count by src app
| where app!="ssl"

 

Here's another:

index=pan app!="ssl"
| stats count by src

 

0 Karma

john_byun
Path Finder

I am looking to list all src's that do not use ssl.  Your query basically gives me the same results because all src's use multiple apps.

Is there a way to do this without me doing a massive diff of tens of thousands of results?

0 Karma

DalJeanis
Legend

Try this

index=pan app=*
| stats count values(app) as app by src
| where NOT (app="ssl")

 

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...