topic Re: Top 10 IP along w/ top 4 ports in Splunk Search

Top 10 IP along w/ top 4 ports

lbogle — Mon, 28 Sep 2020 16:45:39 GMT

Hello Splunkers,
I'm looking to build a search w/ chart that tracks top 10 source IP's in a firewall but also a listing of the actual ports each IP is using. So like a top 10 src_ip and then the top 3 ports (dest_port) that each of the src_ip's is using. Does that make sense?
I can make the top 10 src_ip happen but I'm having trouble w/ adding the top 3 ports on top of that.
I've so far been able to list the total number of ports but not which actual ports the IP's are using the most.
Does that make sense?
Thanks for any assistance.

Re: Top 10 IP along w/ top 4 ports

dmaislin_splunk — Thu, 29 May 2014 18:39:36 GMT

stats count by src_ip,port

Re: Top 10 IP along w/ top 4 ports

lbogle — Mon, 28 Sep 2020 16:45:41 GMT

The comma. Brilliant. Thank you. Did not think to use that. The result is very close to what I am trying to get visualize and it's the closest I've come to it but I'm essentially trying to get a top 10 for src_ip and then combine it w/ a top 3 for dest_port so I have a bar graph where the X axis lists each IP and on top of each IP (y axis) is a stacked bar/graph indicating each port used and each stack in the bar indicates how many times each port has been used.
Does that make sense?
Thank you very much for your help!

Re: Top 10 IP along w/ top 4 ports

dmaislin_splunk — Mon, 28 Sep 2020 16:45:43 GMT

Another way is:

stats values(port) by src_ip
or
stats list(port) by src_ip

Re: Top 10 IP along w/ top 4 ports

somesoni2 — Thu, 29 May 2014 19:15:01 GMT

Try this

 index=firewall host=ofw.Cadence.COM [search index=firewall host=ofw.Cadence.COM | top 10 src_ip | table src_ip]| stats count by src_ip,port | streamstats count as sno by src_ip | where sno < 4 | table src_ip, port,count

Re: Top 10 IP along w/ top 4 ports

somesoni2 — Thu, 29 May 2014 20:17:30 GMT

I updated the answer based on your example. Let me know if that works.

Re: Top 10 IP along w/ top 4 ports

lbogle — Mon, 28 Sep 2020 16:45:49 GMT

So close! That got us the correct X line with the IP's at the bottom but the graph stacks did not list the used port numbers or limit the number of IP's according to the top 10 search.
This search (below) does stack the ports properly and it does provide a legend. Does not list or limit IP's though. Check it out: index=firewall host=ofw.Corp.COM | stats count by src_ip,dest_port | chart sum(count) by src_ip dest_port
here is a link to the article: http://answers.splunk.com/answers/46246/how-do-i-create-a-firewall-report-with-both-destination-ip-and-destination-port
Thanks for your help.

Re: Top 10 IP along w/ top 4 ports

lbogle — Mon, 28 Sep 2020 16:45:52 GMT

Hey I think I found it! Check it out:
index=firewall host=ofw.Corp.COM NOT ran.dom.ip.add [search index=firewall host=ofw.Corp.COM | top 15 src_ip | table src_ip] | stats count by src_ip,dest_port | chart sum(count) by src_ip dest_port