Ever wonder if an address in your event has an anonymous ftp server running? This could be one of your own addresses in your data center where running an anonymous ftp site is supposed to be prohibited. This is a Splunk command called ftpstatus that returns in real-time a status to see if anonymous ftp is running on the address in question. Usage: | ftpstatus The distribution comes with a sample_addresses.log file that gets indexed into your sample index. (Make sure you have a sample index if you are going to use the sample data). You can do things like: index='sample' sourcetype='sample_addresses' address!=''|rename address as ftp_address| ftpstatus| table ftp_address, ftpstatus Read the README.txt for installation instructions