×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
dennis_u
Observer
Member since: ‎09-27-2022
‎09-27-2022
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-27-2022
View All

Show changed events- What is the right approach to...

by in Splunk Search
‎09-27-2022 05:53 AM
‎09-27-2022 05:53 AM
Say, we have events like this: _time fw src_ip dest_ip dest_port fw_rule_action 8/1/22 1:30:00.000 AM fw1 192.168.50.51 8.8.8.8 53 block 1/1/22 1:30:00.000 AM fw1 192.168.50.51 8.8.8.8 53 permit 12/31/21 1:30:00.000 AM fw1 192.168.50.51 8.8.8.8 53 permit   We want to find the events that changed based on fw_rule_action. The real world scenario can be that you consolidated the (whatever) rule base and after application, you want to see, if some events are permitted that were blocked in the past and vice visa. What is the right approach to find the (in this example) block events? Is creating a baseline the right way? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-27-2022 12:15 PM