A Splunk technology add-on (TA) to enrich network port numbers with service names and descriptions.
This TA adds fields to any event that contains a transport field and either a dest_port or src_port field.
These fields are elements of the Splunk Common Information Model (CIM) for networking.
Depending on which fields are available in an event, service fields and service description fields may be added -- if they are registered with IANA. The following table lists the added fields (in bold). If both dest and src exist, both sets of service fields may be added.
| transport | port | service | service description | |
|---|---|---|---|---|
transport |
dest_port |
→ | dest_svc |
dest_svc_description |
transport |
src_port |
→ | src_svc |
src_svc_description |
The dest_svc or src_svc field is the IANA service name for the port in question and follows the naming convention recommended for the Network CIM. The dest_svc_description or src_svc_description field is the IANA description of the service.
The TA should be installed only on search heads. It can be deployed to a search head cluster via a deployer. It will run on Linux or Windows.
Once per month (by default), the TA runs a scheduled search (named network-port-numbers_update_iana_ports) that updates the lookup table with the latest port information from IANA.
This functionality requires Splunk 8.0 or later (i.e. Python 3). The search heads should have Internet web access for this to work.
Updated app.conf for SHC so that the lookup is not overwritten by a deployer bundle push; i.e. deployer_lookups_push_mode = always_preserve.
Initial release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.