Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Additional dashboards

Configuration information on this page is currently a work in progress; expect frequent near-term updates. Additional dashboards to be added here.

Port & Protocol Tracker

The Port & Protocol Tracker dashboard tracks approved and unapproved port and protocol activity, based on the rules set up in Configure > Lists and Lookups > Application Protocols in the Splunk App for Enterprise Security.

Es-PortProtocolTrackerDashboard24 1.png Es-PortProtocolTrackerDashboard24 2.png

Relevant data sources

Relevant data sources for the Port & Protocol Tracker dashboard include data from devices that collect port and protocol information, along with data indexed in Splunk.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the following Common Information Model fields :


The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "network" AND "communicate".

Dashboard description

The Port & Protocol Tracker dashboard is populated by ad hoc searches against the sa_traffic namespace. This index is populated by This index is created by the Network - All Communication - TSIDX Gen search, which is a post-process of the Network - All Communication - Base saved search.

The Network - All Communication - Base search runs on a 15 minute cycle and looks at 15 minutes of data.

Schedule 5,20,35,50 * * * * Runs on a 15 minute schedule
Dashboard update window -20m@m to -5m@m Looks at 15 minutes of data

Note: The search window stops at "5 minutes ago", because some data sources may not have provided complete data in a more recent time frame.

For more information on namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" in the Splunk Search Reference Manual for more information about namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that port and protocol data is indexed in Splunk tag=network tag=communicate
or `traffic`
Returns all port and protocol data from your device(s)
Verify that local port and protocol data exists |`traffic` Returns local port and protocol data
Verify that port and protocol data is normalized to the Common Information Model properly |`traffic`|table dvc transport src dest_port Returns a list of events and the specific port and protocol data fields populated from your device(s)

Additional Information

For more information about using the Port & Protocol Tracker dashboard, see Port & Protocol Tracker dashboard in the Splunk for Enterprise Security User Manual.

Last modified on 27 December, 2013
Audit dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters