topic Re: Group DNS queries per src_ip where two domains are queried within minutes in Splunk Search

Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K — Mon, 21 Mar 2022 10:48:31 GMT

Hi experts,

I would appreciate some design help with a query where I want to see all src_ip's querying for two different domains within X minutes of time interval during a longer time period.

🙂

Re: Group DNS queries per src_ip where two domains are queried within minutes

gcusello — Mon, 21 Mar 2022 10:52:01 GMT

Hi @Daniel_K,

let me understand: you want to know the IPs that queried both the domains, is is it correct?

In this case, please, try something like this:

index=your_index (domain=domain1 OR domain=domain2) | stats dc(domain) AS dc_domain BY src_ip | where dc_domain=2 | table src_ip

Ciao.

Giuseppe

Re: Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K — Mon, 21 Mar 2022 12:12:37 GMT

Thanks Giuseppe!

That search worked just fine but if you help me even more it would be great. Let's assume that both queries must be within X minutes of time but the complete query time is earliest=Y and latest=Z.

🙂

Re: Group DNS queries per src_ip where two domains are queried within minutes

ITWhisperer — Mon, 21 Mar 2022 12:39:06 GMT

index=your_index (domain=domain1 OR domain=domain2) | streamstats dc(domain) as dc_domain range(_time) as interval window=2 global=f by src_ip | where dc_domain=2 AND interval < 120 | table src_ip

Re: Group DNS queries per src_ip where two domains are queried within minutes

gcusello — Mon, 21 Mar 2022 13:21:18 GMT

Hi @Daniel_K,

sorry but I don't understand your request: you can choose the earliest and latest values using the Time Picker or the Time Modifiers (https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers or https://docs.splunk.com/Documentation/Splunk/8.2.5/Search/Specifytimemodifiersinyoursearch).

So what's your question?

Ciao.

Giuseppe

Re: Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K — Mon, 21 Mar 2022 13:49:55 GMT

Yes, you're correct and I was unclear.

I wanted the result to be whenever the 2 different domains where queried within a specific time frame.
Your suggestion was great and @ITWhisperer tweaked it a bit more to satisfy the needs.

I still think the search could be improve by:

* Group based on src_ip with only one line with the different domains within the time frame
* If any query as it is now gives more than one hit - the result will be wrong, right?

🙂

Re: Group DNS queries per src_ip where two domains are queried within minutes

ITWhisperer — Mon, 21 Mar 2022 14:45:03 GMT

I am not sure what you are asking here - you will get a "hit" each time the domain changes for a src_ip within the short period of time. You could dedup by src_ip to pick up on src_ip hitting both domains at any time in the overall time period, or even count by src_ip to find how many times the src_ip switched from one domain to the other. It depends on what it is that you are looking for.

Re: Group DNS queries per src_ip where two domains are queried within minutes

BahadirS — Mon, 21 Mar 2022 17:27:47 GMT

Hello @Daniel_K ,

I think I understand what you are trying to do.

You could use bucket/bin command. Then use time field to group other fields.

For X=5 minutes

index=something | bucket span=5m _time | stats count by src_ip, _time