Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I correlate firewall traffic from two different timestamps

matthewg
Explorer
‎03-31-2017 08:59 AM

I want to get a list of traffic that has accessed the same site at two different times. All I know are the times: say 10:00 AM and 11:30 AM.
How can I get a list of events where an internal IP connected to the same external IP at or near both times. I don't know either of the IP's I simply want to find a list of connections that were active at both times.

  • earliest="(date and time)" latest="(date and time)" AND earliest="(date and time)" latest="(date and time)"
0 Karma
Reply

pradeepkumarg
Influencer
‎03-31-2017 04:06 PM

Increase your time range to cover both the time frames and search for something like below

Assuming your field names are internal_ip external_ip

index=your_index earliest=your_earliest_time latest=your_latest_time | stats count, values(_time) by internal_ip,external_ip | search count > 1

This will result in the events where the combination of internal_ip and external_ip occurred more than once along with the time of access

0 Karma
Reply

matthewg
Explorer
‎01-23-2019 02:12 PM

But what if I have hundreds or thousands of combinations of internal and external ips that connected multiple times in between those times but I want to filter to the ones close to those two time intervals?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...