Splunk Enterprise Security

need help writing firewall log search command

nithin_45_10
New Member

hi ,

I need help writing a query to fetch the details for the below mentioned logic

For the firewall logs, accept events from same source IP more than 100 times, to more than 3 destination IP

Thanks

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help.

index=firewall | stats count dc(dst_ip) as dst_count by src_ip | where (count > 100 AND dst_count > 3)
---
If this reply helps you, an upvote would be appreciated.
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!