What is the way to exclude ports from a single sea...

brian1_tate · ‎01-27-2017

Silly question here. I am trying to search against my WAN for traffic flows NOT equal to certain ports. I seem to have my syntax wrong here I think.

index="network" dport!=53 OR dport!=123 OR dport!=80 OR dport!=443 | iplocation src

What I am doing wrong here?

gokadroid · ‎01-29-2017

I beg to differ from @somesoni2 and @skoelpin as Logical OR looks wrong in the first part of the query syntax if intention is to exclude all four ports to show up in search:

index="network" dport!=53 OR dport!=123 OR dport!=80 OR dport!=443 | iplocation src

Since a Logical OR has been put in with a negation on the field value in above search, this search is only as good as searching index="network" | iplocation src
Reason being whatever dport!=53 will negate to be searched, that will be included by all the other three negations (in fact any one other negation is sufficient). So ultimately not a single negation will work.

If intention is not to search any of the four port mentioned then trying with AND shall make it achieve the intended result which shall look something like:

index="network" dport!=53 AND dport!=123 AND dport!=80 AND dport!=443 | iplocation src

somesoni2 · ‎01-29-2017

Good catch.

somesoni2 · ‎01-27-2017

Your syntax is correct. I would check, 1) if the field dport exists, 2) and it is, it holds the exact port values that you're specifying, with no additional character/data.

skoelpin · ‎01-27-2017

It's better to include than to exclude, but it looks good to me

You should verify the ports are actually present in your log which may be the reason why its not working

index="network" | stats count by dport

What is the way to exclude ports from a single search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!