Hi all,
My question is focused on open ports but the condition applies to a wide range of scenarios. My question is the following:
I need to create alerts for specific ports when they are not open, and my query looks like this
sourcetype=openPorts Port=2000 | search host=*foo*
This checks all the hosts with "foo" in their name for open port 2000. My question is, how do I define a search that returns the hosts that do NOT have the specified port open. When I try to amend the query with eith using "NOT" or "!=" I get all port values that are not 2000. How do I get the results that do not have that value at all?
↧