All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a multi-level sankey using IPs and Ports

j4adam
Communicator
‎08-25-2016 10:49 AM

Hello all,

I'm attempting to make a multi-level sankey visualization mapping src_ip to dest_ip and then dest_ip to dest_port. The high level is that I'm looking for a visualization to see who's connecting to what and on which port. Sankey is ideal because you can quickly see if multiple soruces are connecting to the same IP and port.

I can get the src_ip to dest_ip line, but the problem I'm having is branching from there to another level for the ports. Currently the port is just displayed when moused over. I'm feeding it with a four column table currently:

| stats count by src_ip, dest_ip, dest_port | table src_ip, dest_ip, count, dest_port

Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-25-2016 12:01 PM

You may have to "append" as source/dest. Something like this may work (haven't tried it, but you could)

*UPDATED*

 index=_internal sourcetype=*web_access | stats count by uri status | rename uri AS from status AS to | append [ search index=_internal sourcetype=*web_access | stats count by status referer | rename status AS from referer AS to ]

View solution in original post

Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top