Solved: Check connection from same source to multiple dest...

SIEMStudent · ‎11-18-2021

Hi guys,

I have a doubt regarding the mapping of connection from the same source IP to different destination IP.

In my query, I have to check if the same source reach more than 300 different destination IP.

Usually, If I had to report connection with source ip which appear more than 300 times, I know I can to write:

|stats count src_ip as source by source
|where count > 300

But what about if I have to check the query requirements?

It shuold be something like:

|stats count src_ip as source, dest_ip as destination by source
|where destination > 300

?

scelikok · ‎11-18-2021

Hi @SIEMStudent,

You can try below;

| stats dc(dest_ip) as dest_count by src_ip
| where dest_count > 300

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎11-18-2021

Hi @SIEMStudent,

You can try below;

| stats dc(dest_ip) as dest_count by src_ip
| where dest_count > 300

If this reply helps you an upvote and "Accept as Solution" is appreciated.

SIEMStudent · ‎11-18-2021

Thank you very much!

Check connection from same source to multiple destination

count

stats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation