Splunk Search

Comparing fields in searches to find common values


Hello All,
I have some data here with which i need to find out which is the most vulnerable ip address from the dummy firewall log.
Fragmentation attack
some tcp attack

So from the above data is common for all the attacks on my network and i need a search query to list out the common ip's
I hope i have made myself clear.
My base search to get the results are

index="netgear" | stats values(srcip) as srcip values(destip) as destip by message
0 Karma

Super Champion

Hi @ranjitbrhm1,

This is a great way to find compromised IP's. Your search should be like that if you want to find all attack messages for your source IP :

 index="netgear" | stats values(message) as message by srcip

You can even filter out whichever has more than 2 attack vectors:

  index="netgear" | stats dc(message) as condition, values(message) as message  by srcip |where condition>2

An you can also add the list of destinations :

 index="netgear" | stats dc(message) as condition, values(message) as message, values(destip) as destip by srcip

Let me know if this helps.


0 Karma


I suspect you are are presenting a snippet of your requirements, however try this and see if this takes you any near to your solution.

| makeresults 
|  eval evnt="Fragmentation attack
some tcp attack" 
|  rex field=evnt "(?<text>\d+\.\d+\.\d+\.\d)" max_match=0
| mvexpand text 
| stats count by text 

so, here the count for is the highest and you can just filter by the count for the ip having the maximum occurrence

0 Karma


Thank you for the answer, let me try to explain my entire requirement so its more clear. I get a log from the firewall. Inside the firewall log there are some destination ip's under attack by fragmentation attack, some destination ip under attack by brute force and some destination ip under attack by some other attack. so i want to find out if any destination ip is under attack by multiple methods. Like in this above senario, is under attack by all three type of attacks. So basically i need to find the most vulnerable ip address in the network. Hope i made myself clear.

0 Karma


you need to provide a better snapshot of your logs.
What is the difference between the output of the above query and what you want?

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...