Archive
Highlighted

Persistent Connections

New Member

Hi!

I believe the following search displays the number of connections in one hour over 24 hours. I am looking for a search to show connection count over a 10 minute span in the last 24 hours. Trying to find persistent connections. 1 connection to an external IP every 10 minutes for 24 hours.

index=firewall earliest=-24h@h latest=@h | bucket time span=1h | stats count by _time, dst, dstport | eventstats count(eval(count>0)) AS hoursnonzero BY dst dstport | search hoursnon_zero>=24

Any help would be appreciated!

Thank you!
Ashley

Tags (1)
0 Karma
Highlighted

Re: Persistent Connections

SplunkTrust
SplunkTrust

index=firewall earliest=-24h@h latest=@h
| bucket time span=10m
| stats count by _time, dst, dstport
| eventstats count(eval(count>0)) AS periods
nonzero BY dst dstport
| search periods
non_zero>=144

0 Karma