Splunk Search

Calculate how many IPs changed since last week

Regengott
New Member

I have a bunch of log files from a honeypot. In this logfiles, I have IP-Adresses which appear almost every day and some of them change. Now I'd like to see on a per week basis how many new IPs dropping in the pot.

Just to make my analysis problem clear

IPs in week 1

1.2.3.4

2.3.4.5

3.4.5.6

IPs in week 2

1.2.3.4

2.3.4.5

3.4.5.6

9.9.9.9

The result would be "1 IP added since last week"

Tags (2)
0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

You need to do a subsearch and use the boolean NOT to exclude those results.

source=mylogs src_ip=* NOT [ search earliest=-14d@d latest=-7d@d  source=mylogs | stats count by src_ip | fields src_ip ] | stats dc(src_ip) as "New IP's this week"

If you are regularly doing this and have a lot of data, you might want to schedule the subsearch to speed this up.

edited to add the command "search" above and modify output

Regengott
New Member

/me = newbie :slightly_smiling_face: Thx - now I got a result, I need to interpret it, wether it is what I want

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

he just forgot to put the search command. Add the word search before earliest. ie:
source=mylogs src_ip=* NOT [ search earliest=-14d@d latest=-7d@d .....

0 Karma

Regengott
New Member

Thx for quick response, but unfortunately I got an error "Unknown search command 'earliest'". Perhaps I should have mentioned I used the free version 5.0.3?

0 Karma

linu1988
Champion

use join to see the difference

Index=blah earliest=-1w@W|stats count as LastCount|join host[Index=blah earliest=-0w@W|stats count as Latest]|table host,LastCount,Latest|eval Difference=Latest-LastCount

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...