Splunk Enterprise Security

need help writing firewall log search command

New Member

hi ,

I need help writing a query to fetch the details for the below mentioned logic

For the firewall logs, accept events from same source IP more than 100 times, to more than 3 destination IP


Labels (1)
0 Karma


Perhaps this will help.

index=firewall | stats count dc(dst_ip) as dst_count by src_ip | where (count > 100 AND dst_count > 3)
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...