Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K
Explorer
‎03-21-2022 03:48 AM

Hi experts,

I would appreciate some design help with a query where I want to see all src_ip's querying for two different domains within X minutes of time interval during a longer time period.

🙂

 

 

 

Labels (1)
Labels
0 Karma
Reply

BahadirS
Path Finder
‎03-21-2022 10:27 AM

Hello @Daniel_K ,

I think I understand what you are trying to do.

You could use  bucket/bin command. Then use time field to group other fields.

For X=5 minutes

index=something 
| bucket span=5m _time
| stats count by src_ip, _time

 

0 Karma
Reply

Daniel_K
Explorer
‎03-21-2022 05:12 AM

Thanks Giuseppe!

That search worked just fine but if you help me even more it would be great. Let's assume that both queries must be within X minutes of time but the complete query time is earliest=Y and latest=Z.

🙂

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 06:21 AM

Hi @Daniel_K,

sorry but I don't understand your request: you can choose the earliest and latest values using the Time Picker or the Time Modifiers (https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers or https://docs.splunk.com/Documentation/Splunk/8.2.5/Search/Specifytimemodifiersinyoursearch).

So what's your question?

Ciao.

Giuseppe

Reply

Daniel_K
Explorer
‎03-21-2022 06:49 AM

Yes, you're correct and  I was unclear.

I wanted the result to be whenever the 2 different domains where queried within a specific time frame.
Your suggestion was great and @ITWhisperer tweaked it a bit more to satisfy the needs.

 I still think the search could be improve by:

* Group based on src_ip with only one line with the different domains within the time frame
* If any query as it is now gives more than one hit - the result will be wrong, right?

🙂

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 07:45 AM

I am not sure what you are asking here - you will get a "hit" each time the domain changes for a src_ip within the short period of time. You could dedup by src_ip to pick up on src_ip hitting both domains at any time in the overall time period, or even count by src_ip to find how many times the src_ip switched from one domain to the other. It depends on what it is that you are looking for.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 05:39 AM 
index=your_index (domain=domain1 OR domain=domain2)
| streamstats dc(domain) as dc_domain range(_time) as interval window=2 global=f by src_ip
| where dc_domain=2 AND interval < 120
| table src_ip
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 03:52 AM

Hi @Daniel_K,

let me understand: you want to know the IPs that queried both the domains, is is it correct?

In this case, please, try something like this:

index=your_index (domain=domain1 OR domain=domain2)
| stats dc(domain) AS dc_domain BY src_ip
| where dc_domain=2
| table src_ip

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...