I thought this would be easy but i'm struggling. I have a CSV of firewall rules from yesterday, and a CSV of Firewall rules from today. They're being ingested into splunk but i figured the easiest way to compare the two would be to make them lookup tables. But I can't figure how to compare ALL values? This is to audit for any changes. The Data is kind of like this:
Yesterdays Rules:
Name | Action | SrcIp | DestIp | Port |
WebServer | Allow | 192.168.1.2 | 192.168.0.3 | 80 |
Application | Deny | 192.168.1.10 | 192.168.0.11 | 1020 |
Outbound | Allow | 192.168.0.0/24 | * | 80 |
Todays Rules
Name | Action | SrcIp | DestIp | Port | |
WebServer | Allow | 192.168.1.2 | 192.168.0.3,192.168.0.4 | 80 | |
Application | Deny | 192.168.1.10 | 192.168.0.11 | 1020 | |
Outbound | Allow | 192.168.0.0/24 | * | 80 |
In the example the Webserver can now access an additional server. But in reality any value could change and I need to alert on it. I basically just want to do a diff. A little surprised its difficult to do in splunk.
Hi @splunk219783,
you have to use stats, please try something like this:
| inputlookup yesterday_rules.csv
| eval lookup_name="yesterday_rules.csv"
| append [ | | inputlookup today_rules.csv | eval lookup_name="today_rules.csv" ]
| stats
dc(lookup_name) AS lookup_name_count
values(lookup_name) AS lookup_name
BY Name Action SrcIp DestIp Port
| where lookup_name_count=1
| table Name Action SrcIp DestIp Port lookup_name
in this way you have all the differences.
Ciao.
Giuseppe