Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Creating a graph based on unique Source IP hits
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm not sure the best way that this can be handled. But I have a Citrix Netscaler that I've copied logs from our Syslog server to a temporary Splunk setup. I'm looking to graph unique Source IP (in the log) to Vservers. As it seems like a virus on a computer made a number of attempts to one of our websites. Trying to see if there are other computers out there doing these hits as well. Not sure if Splunk is the right answer.
Here's a log sample:
2013-01-07T13:40:59.996431-05:00 netscaler 01/07/2013:13:41:02 netscaler PPE-0 : TCP CONN_DELINK 30096954 : Source ip:port - Vserver ip:port - NatIP ip:port - Destination ip:port - Delink Time 01/07/2013:13:41:02 - Total_bytes_send 943 - Total_bytes_recv 401
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your logs look like above, but with IP-addresses instead of "Source IP" and "Vserver ip", and you like to see something like;
vserver sourceips
1.2.3.4 11.22.33.44
22.33.44.55
33.44.55.66
2.3.4.5 6.5.4.3
8.7.6.5
Then that is most certainly doable!
First you have to make Splunk understand which part of the event you want to report on, and assigning that to a field. If you are really new to this, I suggest you read up on the documentation for the concept of fields and field extraction.
Then when you have the configuration set up, you can search the logs like (for an appropriate time range);
sourcetype = your_type | stats values(sourceips) by vserver
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Start with reading up on what splunk is and what it can do. To understand fields and field extraction, see the second link.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've never created an event like this before, any advice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your logs look like above, but with IP-addresses instead of "Source IP" and "Vserver ip", and you like to see something like;
vserver sourceips
1.2.3.4 11.22.33.44
22.33.44.55
33.44.55.66
2.3.4.5 6.5.4.3
8.7.6.5
Then that is most certainly doable!
First you have to make Splunk understand which part of the event you want to report on, and assigning that to a field. If you are really new to this, I suggest you read up on the documentation for the concept of fields and field extraction.
Then when you have the configuration set up, you can search the logs like (for an appropriate time range);
sourcetype = your_type | stats values(sourceips) by vserver
Hope this helps,
Kristian
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
