topic Re: Search for total number of src_ip connections to a dest_ip in Splunk Search

How to search for total number of src_ip connections to a dest_ip?

Gurv_Bahad — Tue, 08 Mar 2022 03:57:16 GMT

trying to list the total number of allowed connections to a destination IP from any/all source IP's

currently using the following search,

index=firewall_usa dest_ip=xx.xx.xx.xx action=allowed
| stats count BY src_ip dest_ip
| where count > 1
| sort – count

Is there a better/ quicker way to do this

Re: Search for total number of src_ip connections to a dest_ip

SanjayReddy — Sun, 06 Mar 2022 14:58:37 GMT

Hi @Gurv_Bahad

This might help,

Howerver what is your expected output

Accordingly we can modify SPL to show the output

index=firewall_us dest_ip=xx.xx.xx.xx action=allowed
| stats list(src_ip) as soucre count by dest_ip

| where count > 1
| sort – count

Re: Search for total number of src_ip connections to a dest_ip

Gurv_Bahad — Sun, 06 Mar 2022 17:02:15 GMT

Thanks for the response Sanjay.

index=firewall_us dest_ip=xx.xx.xx.xx action=allowed
| stats list(src_ip) as source count by dest_ip

| where count > 1
| sort – count

This doesn't return any results at all
Actually I'm just looking for the total number of connections to the destination IP regardless of source IP.

Re: Search for total number of src_ip connections to a dest_ip

PickleRick — Sun, 06 Mar 2022 17:42:57 GMT

You probably have several, possibly different, network devices. Good practice would be to install the CIM app and parse all your network sources to be CIM-compliant (usually add-ons do that) and get the data into Network Traffic datamodel.

If you have lots of events, you can accelerate the datamodel so you only use accelerated summaries for your searches, not the raw data. It's much, much quicker this way.

Re: Search for total number of src_ip connections to a dest_ip

Gurv_Bahad — Mon, 07 Mar 2022 12:36:22 GMT

Thanks for your response;

Yes we do have several different network devices, all except firewall traffic goes to a network traffic index with FW events going to a separate index, but I believe CIM compliance has been taken care of.

Re: Search for total number of src_ip connections to a dest_ip

Gurv_Bahad — Mon, 07 Mar 2022 14:20:39 GMT

Appreciate the assistance from the experts here.

The ask has developed.

I'm looking to list total connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and also if possible to determine when during the day do the number of connections peak.
Any help would be greatly appreciated.

Thanks in advance