Splunk Enterprise Security

Values and counts

vishwanadhan_mu
Explorer

Ex: query=google.com , yahoo.com
src= xyz-pc , abc-pc

I want to know the count of queries to each domain queried by an individual computer.

For example, If I see a computer xyz-pc going to malicious sites multiple times everyday. I want to create a bin/bucket list to find, how many blocked queries and how many times the source computer has reached out to.

Thanks.
Vish

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats count BY query src
| sort 0 - count
| stats list(*) AS * BY src
| stats sum(count) AS TotalCount BY src
| sort 0 - TotalCount
0 Karma

vishwanadhan_mu
Explorer

Could you pleas explain me how it works, if possible.

Especially the sort 0

0 Karma

woodcock
Esteemed Legend

Does this work for you? The 0 on the sort makes it unlimited (the command has a stupid default that trims the result set). To see what it is doing, just add in each line one by one.

0 Karma

vishwanadhan_mu
Explorer

IT worked. Thanks a lot

0 Karma

woodcock
Esteemed Legend

OK, then you should come back and click Accept on the answer to close the question.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...