Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Add fields to tstat results
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
girtsgr
Explorer
03-18-2020
06:49 AM
Hi!
I want to use a tstats search to monitor for network scanning attempts from a particular subnet:
| tstats `summariesonly` dc(All_Traffic.dest) as dest_count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest="10.*" OR All_Traffic.dest="172.*" OR All_Traffic.dest="192.168.*") AND All_Traffic.src=10.128.0.0/16 by All_Traffic.src
| sort - dest_count
| where dest_count > 70
My index2 contains IP addresses and users (src_ip, user and event contains text string "LOCAL") that I would like to match with the All_Traffic.src IP addresses, so I would get the last user name that used the particular All_Traffic.src in the results. I have tried both join and map with no success:
| tstats `summariesonly` dc(All_Traffic.dest) as dest_count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest="10.*" OR All_Traffic.dest="172.*" OR All_Traffic.dest="192.168.*") AND All_Traffic.src=10.128.0.0/16 by All_Traffic.src
| sort - dest_count
| where dest_count > 70
| rename All_Traffic.src AS src_ip
| join type=left src_ip
[search index=index2 "LOCAL"
| head 1
| fields src_ip user ]
| table All_Traffic.src dest_count user
join returns All_Traffic.src and dest_count without users.
| tstats `summariesonly` dc(All_Traffic.dest) as dest_count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest="10.*" OR All_Traffic.dest="172.*" OR All_Traffic.dest="192.168.*") AND All_Traffic.src=10.128.0.0/16 by All_Traffic.src
| sort - dest_count
| where dest_count > 70
| rename All_Traffic.src AS srcip
| map search="search index=index2 "LOCAL" src_ip=$srcip$ | head 1 | fields user"
| table All_Traffic.src dest_count user
map returns users, but no All_Traffic.src and dest_count
What is the correct way to get the results I need?
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
03-18-2020
09:40 PM
| map search="search index=index2 "LOCAL" src_ip=$srcip$ | head 1 | fields user"
→
| map search="search index=index2 "LOCAL" src_ip=$srcip$ | head 1 |eval dest_count =$dest_count$ | fields src_ip dest_count user"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
03-18-2020
09:40 PM
| map search="search index=index2 "LOCAL" src_ip=$srcip$ | head 1 | fields user"
→
| map search="search index=index2 "LOCAL" src_ip=$srcip$ | head 1 |eval dest_count =$dest_count$ | fields src_ip dest_count user"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
girtsgr
Explorer
03-20-2020
01:06 AM
Can you post this as an answer, so I can mark it as the correct one? I don't have the option to do this on a comment. Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
girtsgr
Explorer
03-19-2020
12:58 AM
This works, thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-18-2020
02:50 PM
| table All_Traffic.src dest_count user
→
| table src_ip dest_count user
you renamed the field.
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
