- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: How to modify Data model n/w traffic search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Kindly help to modify Query on Data Model network traffic , I have built the query
index=firewall sourcetype="traffic"
| stats ,values(dest_port) as dest_port,values(dest_ip) as dest_ip, dc(dest_ip) as num_dest_ip, dc(dest_port) as num_dest_port by src_ip
| where (num_dest_ip > 350 and num_dest_port > 800)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is rude to keep extending your question. Either ask THE WHOLE QUESTION FIRST or accept a valid answer for the question that you did ask and ask ANOTHER QUESTION. In any case, here is your solution:
| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic"
BY All_Traffic.src_ip
| rename All_Traffic.* AS *
| where (num_dest_ip > 350 AND num_dest_port > 800)
| lookup address.csv Ips AS src_ip OUTPUT comments AS src_comments
| where NOT match(src_comments, "(?i)scanner")
| lookup address.csv Ips AS dest_ip OUTPUT comments AS dest_comments
| where NOT match(dest_comments, "(?i)scanner")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic"
BY All_Traffic.src_ip
| rename All_Traffic.* AS *
| where (num_dest_ip > 350 AND num_dest_port > 800)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Here I'm trying to exclude the IP address present in the address.csv lookup table.
Lookup table looks like eg.
Ips comments
132.168.1.1 IP scanner
125.136.235.0 Alert scanner
146.46.53.0. Firewall
134.56.56.3 network
Here I want to exclude the ips which are named like *scanner* from comments field
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @balu1211,
you can use the solution from @ITWhisperer or the following:
| tstats
values(dest_port) AS dest_port
values(dest_ip) AS dest_ip
dc(dest_ip) AS num_dest_ip
dc(dest_port) AS num_dest_port
from datamodel=Network
BY src_ip
| search [ | inputlookup your_lookup | fields Ips ] OR (num_dest_ip > 350 AND num_dest_port > 800)I didn't understand if the filter on the src_ip is an AND or an OR condition with the counting conditions, but you can adapt my search to your requirement.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello , @ITWhisperer
@woodcock ,
Hi,
I'm trying to write a query for the IPs from that lookup table should not match src ip as well as dest ip from lookup table.
ips comments
172.34.45.3 Logic Scanner
127.4.35.6 Alert Logic Scanner
123.66.78.3 ip scanner
125.55.3.4 firewall
15.56.3.2 network
Here i'm looking for scanner* ips should not match with src_ip and dest_ip
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is rude to keep extending your question. Either ask THE WHOLE QUESTION FIRST or accept a valid answer for the question that you did ask and ask ANOTHER QUESTION. In any case, here is your solution:
| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic"
BY All_Traffic.src_ip
| rename All_Traffic.* AS *
| where (num_dest_ip > 350 AND num_dest_port > 800)
| lookup address.csv Ips AS src_ip OUTPUT comments AS src_comments
| where NOT match(src_comments, "(?i)scanner")
| lookup address.csv Ips AS dest_ip OUTPUT comments AS dest_comments
| where NOT match(dest_comments, "(?i)scanner")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| lookup address.csv Ips as src_ip
| where comments != "scanner"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @balu1211,
let me understand: you want to apply this search to the Network Traffic Data Model, is it correct?
if this is your requirement, please try something like this:
| tstats
values(dest_port) AS dest_port
values(dest_ip) AS dest_ip
dc(dest_ip) AS num_dest_ip
dc(dest_port) AS num_dest_port
from datamodel=Network
BY src_ip
| where (num_dest_ip > 350 AND num_dest_port > 800)Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=firewall sourcetype="traffic"
| stats ,values(dest_port) as dest_port,values(dest_ip) as dest_ip, dc(dest_ip) as num_dest_ip, dc(dest_port) as num_dest_port by src_ip
| where (num_dest_ip > 250 and num_dest_port > 700)
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
