sourcetype=openPorts Port IN (8076,9999,5555,8283,8284,8092,8093,9899) | search host=*511100471375* | table host Port
https://imgur.com/0qKvapm
This query will return all the hosts with 511100471375 in their names with open ports corresponding to the range given in the IN operator. However that does not mean that port 2000 is not open on any of the hosts in the results. So if my query looks like
sourcetype=openPorts Port IN 8076,9999,5555,8283,8284,8092,8093,9899,2000) | search host=*511100471375* | table host Port
I will get the same results as the last query, with an additional entry for each host that has port 2000 open. What I am looking to achieve is to set an alarm to be triggered when a port is no longer open or is not present in the open ports on a given host and I need to see which hosts no longer have the port open. Lets say the logic I am looking for is
sourcetype=openports return hosts that do not have Port=2000| table host Port
... View more