I was asked to create a query that will allow the user to see only the open ports. An example log looks something like this: 10/24/2023 06:00:04,source=SXXXX-88880000,destination=10.10.100.130...
See more...
I was asked to create a query that will allow the user to see only the open ports. An example log looks something like this: 10/24/2023 06:00:04,source=SXXXX-88880000,destination=10.10.100.130,DuBlIn_,11.11.119.111,port_80=True,port_443=True,port_21=False,port_22=True,port_25=False,port_53=False,port_554=False,port_139=False,port_445=False,port_123=False,port_3389=False it looks easy enough, I want to table port_*=True. I want destination, src_ip, and the open ports. I asked our equivalent of Chat GPT about it, and I got this. index=gpss sourcetype=acl "SXXXXXXX" destination="11.11.111.11"
| eval open_ports = case(
port_123=="True", "123",
port_139=="True", "139",
port_21=="True", "21",
port_22=="True", "22",
port_25=="True", "25",
port_3389=="True", "3389",
port_443=="True", "443",
port_445=="True", "445",
port_53=="True", "53",
port_554=="True", "554",
port_80=="True", "80",
true(), null()
)
| where open_ports!=null()
| mvexpand open_ports
| table _time, destination, gpss_src_ip, open_ports But the open_ports!=null() wasnt allowed. I get a Error in 'where' command: Type checking failed. The '!=' operator received different types. During testing, I have a baseline event, an event with three open Ports, but that search I ran only outputs the first one in the list. It hits port 22 first, since thats the first on in the case statement that is true. My main question is, How do I successfully tell splunk to only grab the open ports that are True? Can i even do a wildcard somewhere, and request to pull port_* WHERE True Thank you for any help