Knowledge Management

How to modify Data model n/w traffic search?

balu1211
Path Finder
 

Hi all,

Kindly help to modify Query on Data Model network traffic , I have built the query
index=firewall sourcetype="traffic" 
| stats ,values(dest_port) as dest_port,values(dest_ip) as dest_ip, dc(dest_ip) as num_dest_ip, dc(dest_port) as num_dest_port by src_ip
| where (num_dest_ip > 350 and num_dest_port > 800)

Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

It is rude to keep extending your question.  Either ask THE WHOLE QUESTION FIRST or accept a valid answer for the question that you did ask and ask ANOTHER QUESTION.  In any case, here is your solution:

| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic"
BY All_Traffic.src_ip
| rename All_Traffic.* AS *
| where (num_dest_ip > 350 AND num_dest_port > 800)
| lookup address.csv Ips AS src_ip OUTPUT comments AS src_comments
| where NOT match(src_comments, "(?i)scanner")
| lookup address.csv Ips AS dest_ip OUTPUT comments AS dest_comments
| where NOT match(dest_comments, "(?i)scanner")

View solution in original post

woodcock
Esteemed Legend

| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic"
BY All_Traffic.src_ip
| rename All_Traffic.* AS *
| where (num_dest_ip > 350 AND num_dest_port > 800)

balu1211
Path Finder

@woodcock ,

@gcusello ,

@ITWhisperer 

Hi,

Here I'm trying to  exclude the IP address present in the address.csv lookup table.

Lookup table looks like eg.

Ips                    comments 

132.168.1.1   IP scanner

125.136.235.0    Alert scanner

146.46.53.0.   Firewall

134.56.56.3    network

Here I want to exclude the ips which are named like *scanner* from comments field

 

 

Thanks

   

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @balu1211,

you can use the solution from @ITWhisperer  or the following:

| tstats 
   values(dest_port) AS dest_port
   values(dest_ip) AS dest_ip
   dc(dest_ip) AS num_dest_ip
   dc(dest_port) AS num_dest_port 
   from datamodel=Network
   BY src_ip
| search [ | inputlookup your_lookup | fields Ips ] OR (num_dest_ip > 350 AND num_dest_port > 800)

I didn't understand if the filter on the src_ip is an AND or an OR condition with the counting conditions, but you can adapt my search to your requirement.

Ciao.

Giuseppe

 

0 Karma

balu1211
Path Finder

@gcusello , @ITWhisperer 
@woodcock ,
Hi,
I'm trying to write a query for the IPs from that lookup table should not match src ip as well as dest ip from lookup table.

ips                         comments

172.34.45.3            Logic Scanner

127.4.35.6              Alert Logic Scanner

123.66.78.3           ip scanner

125.55.3.4                  firewall

15.56.3.2                        network 

Here i'm looking for scanner* ips  should not match with  src_ip and dest_ip 



Thanks

0 Karma

woodcock
Esteemed Legend

It is rude to keep extending your question.  Either ask THE WHOLE QUESTION FIRST or accept a valid answer for the question that you did ask and ask ANOTHER QUESTION.  In any case, here is your solution:

| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic"
BY All_Traffic.src_ip
| rename All_Traffic.* AS *
| where (num_dest_ip > 350 AND num_dest_port > 800)
| lookup address.csv Ips AS src_ip OUTPUT comments AS src_comments
| where NOT match(src_comments, "(?i)scanner")
| lookup address.csv Ips AS dest_ip OUTPUT comments AS dest_comments
| where NOT match(dest_comments, "(?i)scanner")

ITWhisperer
SplunkTrust
SplunkTrust
| lookup address.csv Ips as src_ip
| where comments != "scanner"
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @balu1211,

let me understand: you want to apply this search to the Network Traffic Data Model, is it correct?

if this is your requirement, please try something like this:

| tstats 
   values(dest_port) AS dest_port
   values(dest_ip) AS dest_ip
   dc(dest_ip) AS num_dest_ip
   dc(dest_port) AS num_dest_port 
   from datamodel=Network
   BY src_ip
| where (num_dest_ip > 350 AND num_dest_port > 800)

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=firewall sourcetype="traffic" 
| stats ,values(dest_port) as dest_port,values(dest_ip) as dest_ip, dc(dest_ip) as num_dest_ip, dc(dest_port) as num_dest_port by src_ip
| where (num_dest_ip > 250 and num_dest_port > 700)
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...