I regularly generate a list of IP addresses and port pairs for which I should see traffic, and I log firewall traffic in Splunk. Is there a way that I can import that list of IP/port pairs and then compare against the firewall logs to generate statistics? I'm particularly interested in low/no results, i.e. IP/port pairs which should be seen, but haven't been. The comparison itself is simple, it's using the externally-generated list that I'm struggling with. I can create a lookup table, but I'm not sure how to compare the logs against that lookup table.
Any thoughts?
↧