https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262500#M78803 <P>You bet. Does that accomplish what you were trying to do?</P> Mon, 08 Feb 2016 17:19:52 GMT justinatpnnl 2016-02-08T17:19:52Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262495#M78798 <P>I don't know if this has been answered in another question, but I'm trying to run a report for external IPs that have scanned our network. I'm indexing our full packet capture solution. My problem is that my criterion for a scan is one external IP that has connected to more than let's say 100 internal IPs in say under 1 minute. </P> <P>So basically I'm asking, how do I create a report where I want to count the number of IPs where one field in one event is another field of 100 other events where the difference in a 3rd field (timestamp) in those 100 events is less than a certain value (1 minute). Could someone give me an idea on how to solve this please?</P> Tue, 02 Feb 2016 11:12:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262495#M78798 ststephe 2016-02-02T11:12:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262496#M78799 <P>What about something like this?</P> <PRE><CODE>... your search for scan data ... | bucket _time span=1m | stats dc(internal_ip) as connected_ips by _time, external_ip | search connected_ips &gt;= 100 </CODE></PRE> Tue, 02 Feb 2016 21:51:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262496#M78799 justinatpnnl 2016-02-02T21:51:28Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262497#M78800 <P>I'm still a little new to splunk searches so I'm not quite sure I understand this search. you bucket all events that span 1 minute then count all internal_ip (not sure what as does or the comma) using _time as an input and declaring connected_ips as a variable somehow? then searching that value for all values greater than 100? As a programmer I'm thinking of more of a foreach loop of some kind, which I also don't really understand in splunk, then counts through each external IP and counts the number of events with a different internal IP in the span of 1 minute and returns that external IP and count of events so I can put in a pie chart.</P> <P>Could you please help me with this search. </P> Tue, 29 Sep 2020 08:38:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262497#M78800 ststephe 2020-09-29T08:38:49Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262498#M78801 <P>No problem, I'll explain what I was thinking and see if it matches up with what you wanted to accomplish.</P> <P>First: <CODE>| bucket _time span=1m</CODE></P> <P>This takes all of your events and essentially rounds their timestamps down to the current minute. This allows you to have a common field <CODE>_time</CODE> for all of your events that occurred within the same minute</P> <P>Next: <CODE>| stats dc(internal_ip) as connected_ips by _time, external_ip</CODE></P> <P>The stats command allows you to perform operations on your data like count, average, or in this case: Distinct count. Basically I'm telling it to give you a count of the unique internal IP addresses, using <CODE>as</CODE> to give it a new field name called connected_ips. Using <CODE>by</CODE> we tell the results to grouped by _time (which is now grouped into one minute intervals) and external_ip.</P> <P>The comma separating the two <CODE>by</CODE> fields is optional, I just like to use it for readability.</P> <P>Finally: <CODE>| search connected_ips &gt;= 100</CODE></P> <P>Now we tell Splunk to take the previous data and only show the results that talked to 100+ internal IPs. You should now have a result that lists the _time, external_ip, and the number of internal IPs that they connected to.</P> <P>Does that match with what you were shooting for?</P> Tue, 29 Sep 2020 08:39:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262498#M78801 justinatpnnl 2020-09-29T08:39:50Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262499#M78802 <P>Thank you for the help, that makes much more sense. </P> Mon, 08 Feb 2016 15:53:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262499#M78802 ststephe 2016-02-08T15:53:43Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262500#M78803 <P>You bet. Does that accomplish what you were trying to do?</P> Mon, 08 Feb 2016 17:19:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262500#M78803 justinatpnnl 2016-02-08T17:19:52Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262501#M78804 <P>yes it does. Thank you very much</P> Tue, 09 Feb 2016 12:26:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-host-scanning-report-to-count-the-number-of-IPs/m-p/262501#M78804 ststephe 2016-02-09T12:26:05Z