https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657539#M227121 <BLOCKQUOTE><HR />yes I have some index and sourcetypes<BR />but I don't know how to choose the index and sourcetypes for this ip address<BR /><HR /></BLOCKQUOTE><P>Can you confirm this: So you want to know which index/indices, and which sourcetype(s) contain records of interest. &nbsp;Is this correct?</P><LI-CODE lang="markup">index=* src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443 | stats count by index sourcetype</LI-CODE><P>This should give you &nbsp;a list of index-sourcetype combinations that contain the specific IP and port. (Also, if you can use search command immediately following a search command, the two search commands should be combined into one. (The first command is an implied "search".)</P> Thu, 14 Sep 2023 06:56:27 GMT yuanliu 2023-09-14T06:56:27Z https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657436#M227081 <P>Hi All,<BR /><BR />i didn't get the result by using this below&nbsp; query search.&nbsp;<BR />how to check and confirm the index and source type specifically to precise the query<BR /><BR /><SPAN><SPAN class="">index=*| search src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443<BR /><BR /></SPAN></SPAN>How to confirm the source type and index</P> Thu, 14 Sep 2023 16:59:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657436#M227081 Jana42855 2023-09-14T16:59:46Z https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657447#M227086 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260542">@Jana42855</a>&nbsp;,</P><P>I suppose that you already have the log indexed and stored in an index with one sourcetype.</P><P>At first you should define the index where the logs are stored and the sourcetype to use.</P><P>Then, using this index and this sourcetype, you should check <SPAN>if the field names are correct (field names are case sensitive) and&nbsp;</SPAN>if the fields to use in the search (<SPAN>&nbsp;src, dest_ip, dest_port) are present in all events.</SPAN></P><P><SPAN>then you don't need to use the search command, put all the parameters in the main search, you'll have a more performant search, then don't use index=*, because is slower than index=your_index.</SPAN></P><LI-CODE lang="markup">index=&lt;your_index&gt; src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Wed, 13 Sep 2023 15:52:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657447#M227086 gcusello 2023-09-13T15:52:30Z https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657452#M227088 <P>Hi Thanks for the reply..<BR /><BR />yes I have some index and sourcetypes<BR />but I don't know how to choose the index and sourcetypes for this ip address<BR /><BR />Thanks,</P> Wed, 13 Sep 2023 16:05:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657452#M227088 Jana42855 2023-09-13T16:05:57Z https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657539#M227121 <BLOCKQUOTE><HR />yes I have some index and sourcetypes<BR />but I don't know how to choose the index and sourcetypes for this ip address<BR /><HR /></BLOCKQUOTE><P>Can you confirm this: So you want to know which index/indices, and which sourcetype(s) contain records of interest. &nbsp;Is this correct?</P><LI-CODE lang="markup">index=* src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443 | stats count by index sourcetype</LI-CODE><P>This should give you &nbsp;a list of index-sourcetype combinations that contain the specific IP and port. (Also, if you can use search command immediately following a search command, the two search commands should be combined into one. (The first command is an implied "search".)</P> Thu, 14 Sep 2023 06:56:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657539#M227121 yuanliu 2023-09-14T06:56:27Z https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657554#M227123 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260542">@Jana42855</a>,</P><P>the first step is to know the data to search, otherwise it's very difficoult!</P><P>Anyway, you could start to run a search like the following:</P><LI-CODE lang="markup">index=&lt;your_index&gt; (src=* OR dest_ip=* OR dest_port=*)</LI-CODE><P>in this way you have all the events containing these fields.</P><P>then you can analyze them&nbsp; and identify index and sourcetype to use.</P><P>Remember that you can see only the indexes where you were enabled, in other words, if you don't have grants to access an index you don't see it.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 14 Sep 2023 07:59:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-analyse-the-traffic-of-specific-ip-address-dest-with-port/m-p/657554#M227123 gcusello 2023-09-14T07:59:19Z