Archive
Highlighted

Cisco IPS Top Signature by top hosts

Path Finder

New to the splunk community and still learning the way of searches. In a nutshell i want to do a search against a cisco IPS sensor for top 5 signatures over 24hours. Easy to do but how can i then take that result and say top signature show me the top srcip's. I was thinking that i could pipe the results into another top limit=5 srcip but no luck. Ive even tried doing top limit=1 signature. Thinking something with append maybe?

host=IPSSensor1 | top limit=5 signature

sig count percent
5474 9289 86.304934
3653 1114 10.350274
1208 116 1.077766
1204 66 0.613212
11020 60 0.557465

Thanks,

Cory

Tags (2)
0 Karma
Highlighted

Re: Cisco IPS Top Signature by top hosts

SplunkTrust
SplunkTrust

To show the top 5 ips for the top signature you can run this search:

host=ipssensor1 [search host=ipssensor1 | top 1 signature | fields signature] | top 5 src_ip

The subsearch in square brackes will evaluate to signature=5474 which is used by the outer search as a filter.

View solution in original post

Highlighted

Re: Cisco IPS Top Signature by top hosts

Path Finder

Thanks Martin. Powerful search string once i added a time range to my dashboard.

0 Karma