cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Naz_Lightening
Engager
Member since: ‎07-15-2021
‎07-15-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-15-2021
View All

Re: Splunk Search Syntax to show service & dstport

by in Splunk Enterprise
‎07-15-2021 06:29 AM
‎07-15-2021 06:29 AM
@ITWhisperer cheers that's done it nicely! ... View more

Splunk Search Syntax to show service & dstport

by in Splunk Enterprise
‎07-15-2021 04:18 AM
‎07-15-2021 04:18 AM
Hi, I'm running the below syntax on Splunk Enterprise to get traffic logs from Fortigate firewalls: index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | stats count by srcip, dstip, dstport, service, action, date, time, policyid | dedup srcip dstip dstport service consecutive=true | sort 0 field This gives me all TCP & UDP traffic, then I can download & filter in a .csv but doesn't pick up ICMP traffic (specifically icmp type 8). I have to run a separate syntax to get just ICMP as below: index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | stats count by srcip, dstip, service, action, date, time, policyid | dedup srcip dstip service consecutive=true | sort 0 field It seems that because ICMP has no dstport the syntax needs adjusting. I need is a syntax that will return all traffic, i.e. TCP, UDP & ICMP. Please advise? Naz ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-15-2021 07:48 AM