topic Re: How to search for the same IP in multiple sourcetypes within a certain time frame? in Splunk Search

How to search for the same IP in multiple sourcetypes within a certain time frame?

janiceb — Tue, 19 Apr 2016 14:45:24 GMT

Greetings,

I am looking for a way to search through 2 sourcetypes:

sourcetype=bro_http AND sourcetype=McAfee
to find any indications of a source IP on my network that shows up in those sourcetypes within a certain time frame, let's say an hour. They both have a common field name of src_ip.

The purpose is to attempt to try and detect a possible incident that may have occurred and see any correlation that may exist.

Any ideas would be appreciated.

Thanks,

Janice

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

twinspop — Tue, 19 Apr 2016 14:58:35 GMT

sourcetype=bro_http OR sourcetype=McAfee | 
chart count over src_ip by sourcetype | 
where McAfee>0 and bro_http>0

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

sundareshr — Tue, 19 Apr 2016 14:58:59 GMT

Try this

index=* sourcetype=bro_http OR sourcetype=McAfee src_ip=* | chart count over src_ip by sourcetype | where bro_http>0 AND McAfee>0

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

muebel — Tue, 19 Apr 2016 15:24:57 GMT

Hi janiceb,

This search will give you all related events for src_ip values that appear in both sourcetypes given a particular search time range:

src_ip=* sourcetype=bro_http OR sourcetype=McAfee | eventstats dc(sourcetype) AS sourcetype_count by src_ip | where sourcetype_count > 1

Please let me know if this answers your question!

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

twinspop — Tue, 19 Apr 2016 15:38:28 GMT

After posting above, I think I realized what you want: Has an IP showed up in both sourcetypes within an hour of each other. I think something like this will work:

sourcetype=bro_http OR sourcetype=McAfee| 
bucket _time span=1m | 
stats count by src_ip sourcetype _time | sort _time |
streamstats current=f last(_time) as prev_time, last(sourcetype) as prev_sourcetype by src_ip | 
where prev_sourcetype!=sourcetype and _time-prev_time<3600 | 
eval prev_time=strftime(prev_time,"%Y-%m-%d %T")

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

janiceb — Tue, 19 Apr 2016 15:46:29 GMT

Thanks so much for your help. All of the searches worked, but this one gave me the best view of what I was trying to accomplish. I will try to build upon it from there to include other sourcetypes.

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

janiceb — Tue, 19 Apr 2016 15:50:34 GMT

Hi Sundareshr. Thanks for your help. This search worked.

Re: How to search for the same IP in multiple sourcetypes within a certain time frame?

janiceb — Tue, 19 Apr 2016 16:04:28 GMT

Thanks for your assistance. I wasn't able to get this to work for me.