Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search Unique Source IPs Associated with 10+ Unique Destination IPs

ltcsecurity
Observer
‎07-24-2020 07:23 AM

Hi all I’m new to Splunk so forgive my ignorance.  We’re currently using Splunk as a SIEM and I’m having trouble getting a search query put together.

What I’m looking for is:

Show me all unique sources that have initiated ICMP traffic.  I believe that I’m getting the correct results with the following search string.

index="indexabc" dest_port=0 | stats count by src_ip

The additional information I’m looking for is “by unique source IP (above) find those that have 10+ unique destination IPs (dest_ip).”

Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2020 07:56 AM

Try this.

index="indexabc" dest_port=0 
| stats count, dc(dest_ip) as UniqueDestinations by src_ip
| where UniqueDestinations >= 10
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...