Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Basic use of tstats and a lookup

dmbr
Explorer
‎05-17-2021 05:56 PM

Here is a basic tstats search I use to check network traffic.

 

 

| tstats summariesonly=t fillnull_value="MISSING" count from datamodel=Network_Traffic.All_Traffic where All_Traffic.src IN ("11.2.2.1","11.2.2.2","11.2.2.3") by All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype
| sort -count

 

 

I have a lookup file called "ip_ioc.csv" containing a single column of IPv4 addresses which constitute potential bad actors.  

Instead of searching through a list of IP addresses as per above, I want the tstats search to check the lookup file.

How can I modify the above search?

Here is a terrible and incorrect attempt at what I am trying to perform:

 

 

| tstats count from datamodel=Network_Traffic.All_Traffic by All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype
| lookup ip_ioc.csv ip_ioc
| where ip_ioc == All_Traffic.src OR ip_ioc == All_Traffic.dest

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-17-2021 06:04 PM

Not so terrible, but incorrect 🙂 One way is to replace the last two lines with

| lookup ip_ioc.csv ip_ioc as All_Traffic.src OUTPUT ip_ioc as src_found
| lookup ip_ioc.csv ip_ioc as All_Traffic.dest OUTPUT ip_ioc as dest_found
| where !isnull(src_found) OR !isnull(dest_found)

looks like you want to check either src or dest, so you could possible use a subsearch in the tstats to pull in your IP addresses to be part of the where IN statement for each of src and dest, but the merits of each would be down to performance - the above is quite simple and easy to read.

View solution in original post

Reply
Solved! Jump to solution

linwqg
New Member
‎08-25-2021 07:53 PM

Hello guys. 

Can i hitch on this to further check, how do i include timestamp for each match?

If i add by _time (in red below),  the output is automatically bucket.  If i specify span=1s, can i still pipe the result timechart span=1d? 

| tstats count from datamodel=Network_Traffic.All_Traffic by _time span=1s, All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype

The desired output is for each match to carry _time, src, dst, ports fields, which can be used to generate timechart.

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-17-2021 06:04 PM

Not so terrible, but incorrect 🙂 One way is to replace the last two lines with

| lookup ip_ioc.csv ip_ioc as All_Traffic.src OUTPUT ip_ioc as src_found
| lookup ip_ioc.csv ip_ioc as All_Traffic.dest OUTPUT ip_ioc as dest_found
| where !isnull(src_found) OR !isnull(dest_found)

looks like you want to check either src or dest, so you could possible use a subsearch in the tstats to pull in your IP addresses to be part of the where IN statement for each of src and dest, but the merits of each would be down to performance - the above is quite simple and easy to read.

Reply
Solved! Jump to solution

dmbr
Explorer
‎05-18-2021 04:08 AM

Thank you! 😋 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...