Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert on Duplicate IPs with detail

zippo706
Explorer
‎03-14-2021 09:32 AM

I'm trying to produce an alert based on a user logged in w/ 2 ips within 10 minutes.   I have a way to determine if they have it, however, i would like to see the IPS addresses they had in the alert.   How can i achieve this?

The following will trigger, but need to see the ips as well.

index="w3logs" earliest = -10m
| eval tempx = split(X_Forwarded_For,",")
| eval ip=mvindex(tempx,0)
| stats dc(ip) as dup by cs_username | where dup > 1

Labels (1)
Labels
Tags (3)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-14-2021 11:11 AM

Hi @zippo706,

You can simply add values(ip) function to stats command to display ip addresses;

index="w3logs" earliest = -10m
| eval tempx = split(X_Forwarded_For,",")
| eval ip=mvindex(tempx,0)
| stats dc(ip) as dup values(ip) as ip by cs_username | where dup > 1

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

tscroggins
Influencer
‎03-14-2021 10:25 AM

@zippo706 

Try this assuming your data is normalized and X_Forwarded_For is a custom header extraction:

index=w3logs earliest=-20m
| eval src=coalesce(mvindex(split(X_Forwarded_For, ","), 0), src)
| streamstats time_window=10m dc(src) as src_count by user
| where src_count > 1 AND _time > relative_time(now(), "-10m")
| stats min(_time) as _time values(src) as src by user
| eval src=mvjoin(src, ",")
| table _time user src

Replace user with cs_username if needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...