Re: Alert on Duplicate IPs with detail

zippo706 · ‎03-14-2021

I'm trying to produce an alert based on a user logged in w/ 2 ips within 10 minutes. I have a way to determine if they have it, however, i would like to see the IPS addresses they had in the alert. How can i achieve this?

The following will trigger, but need to see the ips as well.

index="w3logs" earliest = -10m
| eval tempx = split(X_Forwarded_For,",")
| eval ip=mvindex(tempx,0)
| stats dc(ip) as dup by cs_username | where dup > 1

scelikok · ‎03-14-2021

Hi @zippo706,

You can simply add values(ip) function to stats command to display ip addresses;

index="w3logs" earliest = -10m
| eval tempx = split(X_Forwarded_For,",")
| eval ip=mvindex(tempx,0)
| stats dc(ip) as dup values(ip) as ip by cs_username | where dup > 1

If this reply helps you an upvote and "Accept as Solution" is appreciated.

tscroggins · ‎03-14-2021

@zippo706

Try this assuming your data is normalized and X_Forwarded_For is a custom header extraction:

index=w3logs earliest=-20m
| eval src=coalesce(mvindex(split(X_Forwarded_For, ","), 0), src)
| streamstats time_window=10m dc(src) as src_count by user
| where src_count > 1 AND _time > relative_time(now(), "-10m")
| stats min(_time) as _time values(src) as src by user
| eval src=mvjoin(src, ",")
| table _time user src

Replace user with cs_username if needed.

Alert on Duplicate IPs with detail

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life