conditional searching

jalfrey · ‎07-19-2013

I am looking at firewall logs. The destination port appears twice in some log lines. I want a search that will show me all the events where the two values are not the same.

here is a sample log where they do match

Jul 19 09:08:03 10.203.14.34 id=firewall sn=0017C598FCCC time="2013-07-19 09:08:02" fw=10.203.14.34 pri=6 c=512 m=602 msg="DNS packet allowed" n=43102 src=10.200.0.52:53:X1:eng-dc-01.eng.sonicwall.com dst=10.203.14.34:55034:X1 proto=udp/55034

The values in this log we need are:

dst=10.203.14.34:55034:X1

the formatting for this is (ip address):(port number):(interface) . So that means this connection was on port 55043. I call this one dst_port

proto=udp/55034

This is formatted as: (transport)/(port number) . So in the example this is on port 55034. I call this one port

I trying searches/filtering that looks like (main search) if not (dst_port = port)

MuS · ‎07-19-2013

Hi jalfrey

You can either use

 main search | search NOT dst_port=55034

or

main search | where NOT dst_port=55034

The if() command works different in Splunk: if(contition,WhatToDoIfTrue,WhatToDoIfNot) like in

 eval WasThePort55034 =  if(dst_port=55034, Yes, No)

Hope this helps

Cheers, MuS

MuS · ‎07-19-2013

Try this to compare two fields value:

eval match=if(dst_port=port, Yes, No) | where match=No | table _time dst_port port match

Does that make sense?

jalfrey · ‎07-19-2013

Sorry MuS. I think I was not clear enough.
I want to know if the dst_por and port do not equal eachother. If so show the results.

conditional searching

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life