topic Re: How to combine my 2 searches to list all source and destination IPs based on same destination port? in Splunk Search

How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 22:57:24 GMT

I'm trying to get my current 2 searches into 1. I am trying to get a list of all source and destination ip's based on the same destination port. I have it in 2 searches by doing this on the end of my search:

| stats count by src_ip

second search

| stats count by dest_ip

basically i just need a list of all source ip's and a list of all dest ip's that have the same dest port

any tips or help would be greatly appreciated

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

kml_uvce — Mon, 28 Sep 2020 19:42:28 GMT

try this

|transaction dest_port|table dest_port, src_ip, dest_ip

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

NOUMSSI — Tue, 28 Apr 2015 23:11:46 GMT

Hello.
try this:

index=... soucetype=... dest_port=*| stats count by src_ip| stats count by dest_ip| table src_ip dest_ip dest_port

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 23:13:46 GMT

that's still grouping them together somehow. Its making multiple rows with not all the same results in each row

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 23:21:14 GMT

this give 0 results

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

NOUMSSI — Mon, 28 Sep 2020 19:38:43 GMT

... dest_port=*| table src_ip dest_ip dest_port

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 23:24:45 GMT

i didnt think you can do 2 stats commands like that in a row because the second one wouldnt have any results because there is no dest ip to count by from the first stats command

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 23:26:26 GMT

yeah i tried that already it shows each src and dest ip paired together

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

NOUMSSI — Tue, 28 Apr 2015 23:28:10 GMT

what do you want now?

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 23:31:29 GMT

a list of all source ip's and a list of all destination ip's for any given destination port. the way you have it shows each ip talking together i dont need that. I just need a list of the ip's not whats talking to what.

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

NOUMSSI — Tue, 28 Apr 2015 23:46:10 GMT

for example, if you've number of port 8000, you want something like this?

dest_port=8000| table src_ip dest_ip dest_port

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Tue, 28 Apr 2015 23:50:29 GMT

no so if you do that it lists out multiple results if there are any. for example if there are 10 src ip's that are 1.1.1.1 it list that 10 times. same with dest ip's. so i guess i need unique source ip's and unique dest ip's. sorry i should have put unique values in my question.

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Mon, 28 Sep 2020 19:38:46 GMT

i thought i had it with

| dedup src_ip | stats list(src_ip), list(dest_ip) by dest_port

but its still showing multiple of the same dest ip's

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

NOUMSSI — Tue, 28 Apr 2015 23:59:09 GMT

Ok now i understand you better. Use de commande dedup to have unique values. Try this:

dest_port=8000| dedup src_ip | dedup dest_ip | table src_ip dest_ip dest_port

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

stephane_cyrill — Mon, 28 Sep 2020 19:38:49 GMT

Hi if you need a list of all source ip's and dest
ip's that have the same dest port

try something like:

......|eval src_dest_ip=coalesce(dest_ip,src_ip)|stats values (src_dest_ip)|where ......condition on ip's....

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Wed, 29 Apr 2015 00:06:10 GMT

yep already tried that one too. It cuts out some of the ip's for some reason. So like if i run my 2 separate searches i get 9 total src ip's and 20 total dest ip's. i run this and its only giving me 8 of each. so 1 src ip and 12 dest ip's disappeared.

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Wed, 29 Apr 2015 00:17:00 GMT

this puts it all into one list i need them in 2 lists one list for src and one list for dest

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

tve784 — Mon, 28 Sep 2020 19:38:52 GMT

i figured it out

| stats values(src_ip),values(dest_ip) by dest_port

Re: How to combine my 2 searches to list all source and destination IPs based on same destination port?

taylorgo — Sat, 06 May 2017 14:51:47 GMT

Thanks, this helped me resolve a similar question. I was trying to get a list single list of website actions by IP address for a given date, and this helped me figure it out:

| stats values(actions), earliest(datetime) by src_ip