Splunk Enterprise Security

need help writing firewall log search command

New Member

hi ,

I need help writing a query to fetch the details for the below mentioned logic

For the firewall logs, accept events from same source IP more than 100 times, to more than 3 destination IP


Labels (1)
0 Karma


Perhaps this will help.

index=firewall | stats count dc(dst_ip) as dst_count by src_ip | where (count > 100 AND dst_count > 3)
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...