topic Re: How to write query for too many blocked traffic to one single destination in Splunk Search

How to write query to detect too much blocked traffic to one single destination?

Pooja_R — Fri, 05 Aug 2022 14:57:49 GMT

I have created a query to detect too much blocked traffic to one single destination.Somehow this doesn't work. Help me to resolve this.

bin _time span = 5m as timespan | eval start time = strptime(connection_start_time,"%Y-%m-%d %H:%M:%S")

|stats dc(D_IP)as num values (start_time)by src_ip | search num>3 | sort num desc

I want to display the src ip,hostname,destination ip, count

Re: How to write query for too many blocked traffic to one single destination

yuanliu — Fri, 05 Aug 2022 02:41:59 GMT

First, it is imperative to show sample data. Second, the phrase "doesn't work" conveys very little information. You kind of described what you expect, but didn't provide sample output to demonstrate what "doesn't work".

Now, to your query - again, I have nothing to base this on except comparing your stats command with your desired output: the stats command as written will give out fields "num", `values(start_time)`, and "src_ip"; it will not give hostname and destination_ip.

Re: How to write query for too many blocked traffic to one single destination?

gcusello — Fri, 05 Aug 2022 14:45:00 GMT

Hi @Pooja_R,

I agree with @yuanliu , could you better describe what in your search don't work?

Anyway, to display a value field in a stats command, you can use the values() option, something like this:

<your_search> | bin _time span = 5m | stats dc(D_IP)as dest_ip_count earliest(_time) AS start_time values(host) AS hostname values(dest_ip) AS dest_ip BY src_ip | search dest_ip_count>3 | eval start_time=strptime(connection_start_time,"%Y-%m-%d %H:%M:%S") | sort -dest_ip_count

Ciao.

Giuseppe