Solved: Cisco IPS Top Signature by top hosts

cgekoski · ‎05-09-2014

New to the splunk community and still learning the way of searches. In a nutshell i want to do a search against a cisco IPS sensor for top 5 signatures over 24hours. Easy to do but how can i then take that result and say top signature show me the top src_ip's. I was thinking that i could pipe the results into another top limit=5 src_ip but no luck. Ive even tried doing top limit=1 signature. Thinking something with append maybe?

host=IPSSensor1 | top limit=5 signature

sig count percent
5474 9289 86.304934
3653 1114 10.350274
1208 116 1.077766
1204 66 0.613212
11020 60 0.557465

Thanks,

Cory

martin_mueller · ‎05-09-2014

To show the top 5 ips for the top signature you can run this search:

host=ipssensor1 [search host=ipssensor1 | top 1 signature | fields signature] | top 5 src_ip

The subsearch in square brackes will evaluate to signature=5474 which is used by the outer search as a filter.

View solution in original post

martin_mueller · ‎05-09-2014

To show the top 5 ips for the top signature you can run this search:

host=ipssensor1 [search host=ipssensor1 | top 1 signature | fields signature] | top 5 src_ip

The subsearch in square brackes will evaluate to signature=5474 which is used by the outer search as a filter.

cgekoski · ‎05-09-2014

Thanks Martin. Powerful search string once i added a time range to my dashboard.

Cisco IPS Top Signature by top hosts

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?