cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
evelopers
Explorer
Member since: ‎10-02-2015
‎06-05-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎10-02-2015
Topics I've Started
No posts to display.
View All

Re: Netflow Analytics for Splunk: How to create a ...

by in All Apps and Add-ons
‎10-08-2015 01:47 PM
‎10-08-2015 01:47 PM
Assuming that you would like to create a CSV file with IP addresses to be excluded from search results : 1)As the first step a list of ip addresses should be created as a csv file, in this case with only one column, for example ip 10.0.1.1 192.168.0.23 192.168.0.24 It can be uploaded to Splunk using Settings >> Lookups >> Lookup table files >> New 2) it can be registered as a lookup using Settings >> Lookups >> Lookup definitions >> New there the previous csv file should be selected and named, for example as src_ip_blacklist 3) the following can be added to the query, to filter out the ip addresses NOT [|inputlookup src_ip_blacklist | rename ip AS src_ip | fields src_ip] The updated query would be look like: `netflow_search_rule_20067` NOT [|inputlookup src_ip_blacklist | rename ip AS src_ip | fields src_ip] | where NOT ( cidrmatch("10.0.0.0/8",dest_ip) OR cidrmatch("172.16.0.0/12",dest_ip) OR cidrmatch("192.168.0.0/16",dest_ip) OR cidrmatch("169.254.0.0/16",dest_ip) ) | `fix_src_ip_mapping` | `fix_dest_ip_mapping` | lookup protocol_lookup protocol AS protocol | `format_port_column(dest_port_string, dest_port)` | search ( dest_port_string="*(pop*)" OR dest_port_string="*(imap*)" OR dest_port_string="*(smtp)" OR dest_port_string="*(rdp)") | `sampling(bytes_in)` | `sampling(packets_in)` | `sampling(flow_count)` | stats sum(bytes_in) AS TrafficAmount sum(packets_in) AS PacketsAmount sum(flow_count) AS Connections max(_time) as max_time min(_time) as min_time by exp_ip src_ip dest_ip dest_port_string | `pct_of_total(pct, "20067", TrafficAmount)` | `default_preparation_for_comma_formatted_table` | table exp_ip_name src_ip dest_ip dest_port_string "Average Bits/s" "Total Traffic Bytes" pct "Average Packets/s" "Total Packets" "Total Connections" | rename exp_ip_name as "Device" | rename dest_port_string as "Destination Port" | rename pct as "% of Total" ... View more

Re: Netflow Analytics for Splunk: How to create a ...

by in All Apps and Add-ons
‎10-06-2015 11:31 PM
1 Karma
‎10-06-2015 11:31 PM
1 Karma
For this purpose the query from the table in the Traffic by Protocol and Port dashboard can be reused. 1) to filter out outbound traffic to private ip addresses: | where NOT ( cidrmatch("10.0.0.0/8",dest_ip) OR cidrmatch("172.16.0.0/12",dest_ip) OR cidrmatch("192.168.0.0/16",dest_ip) OR cidrmatch("169.254.0.0/16",dest_ip) ) 2) to filter applications: | search ( dest_port_string="(pop)" OR dest_port_string="(imap)" OR dest_port_string="(smtp)" OR dest_port_string="(rdp)") it can be extended as needed. After removing superfluous filters, and adding the two new above the final query would be: `netflow_search_rule_20067` | where NOT ( cidrmatch("10.0.0.0/8",dest_ip) OR cidrmatch("172.16.0.0/12",dest_ip) OR cidrmatch("192.168.0.0/16",dest_ip) OR cidrmatch("169.254.0.0/16",dest_ip) ) | `fix_src_ip_mapping` | `fix_dest_ip_mapping` | lookup protocol_lookup protocol AS protocol | `format_port_column(dest_port_string, dest_port)` | search ( dest_port_string="*(pop*)" OR dest_port_string="*(imap*)" OR dest_port_string="*(smtp)" OR dest_port_string="*(rdp)") | `sampling(bytes_in)` | `sampling(packets_in)` | `sampling(flow_count)` | stats sum(bytes_in) AS TrafficAmount sum(packets_in) AS PacketsAmount sum(flow_count) AS Connections max(_time) as max_time min(_time) as min_time by exp_ip src_ip dest_ip dest_port_string | `pct_of_total(pct, "20067", TrafficAmount)` | `default_preparation_for_comma_formatted_table` | table exp_ip_name src_ip dest_ip dest_port_string "Average Bits/s" "Total Traffic Bytes" pct "Average Packets/s" "Total Packets" "Total Connections" | rename exp_ip_name as "Device" | rename dest_port_string as "Destination Port" | rename pct as "% of Total" ... View more

Re: How to troubleshoot why the NetFlow Analytics ...

by in All Apps and Add-ons
‎10-02-2015 09:47 AM
‎10-02-2015 09:47 AM
If you see event count in index flowintegrator going up, but the App does not show any data, make sure you synchronized time on NetFlow Integrator (NFI) and Splunk. By default the App shows last 60 min, and if your time between NFI and Splunk is not in sync, the data can be out of window. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All