Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K
Explorer
‎03-21-2022 03:48 AM

Hi experts,

I would appreciate some design help with a query where I want to see all src_ip's querying for two different domains within X minutes of time interval during a longer time period.

🙂

 

 

 

Labels (1)
Labels
0 Karma
Reply

BahadirS
Path Finder
‎03-21-2022 10:27 AM

Hello @Daniel_K ,

I think I understand what you are trying to do.

You could use  bucket/bin command. Then use time field to group other fields.

For X=5 minutes

index=something 
| bucket span=5m _time
| stats count by src_ip, _time

 

0 Karma
Reply

Daniel_K
Explorer
‎03-21-2022 05:12 AM

Thanks Giuseppe!

That search worked just fine but if you help me even more it would be great. Let's assume that both queries must be within X minutes of time but the complete query time is earliest=Y and latest=Z.

🙂

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 06:21 AM

Hi @Daniel_K,

sorry but I don't understand your request: you can choose the earliest and latest values using the Time Picker or the Time Modifiers (https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers or https://docs.splunk.com/Documentation/Splunk/8.2.5/Search/Specifytimemodifiersinyoursearch).

So what's your question?

Ciao.

Giuseppe

Reply

Daniel_K
Explorer
‎03-21-2022 06:49 AM

Yes, you're correct and  I was unclear.

I wanted the result to be whenever the 2 different domains where queried within a specific time frame.
Your suggestion was great and @ITWhisperer tweaked it a bit more to satisfy the needs.

 I still think the search could be improve by:

* Group based on src_ip with only one line with the different domains within the time frame
* If any query as it is now gives more than one hit - the result will be wrong, right?

🙂

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 07:45 AM

I am not sure what you are asking here - you will get a "hit" each time the domain changes for a src_ip within the short period of time. You could dedup by src_ip to pick up on src_ip hitting both domains at any time in the overall time period, or even count by src_ip to find how many times the src_ip switched from one domain to the other. It depends on what it is that you are looking for.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 05:39 AM 
index=your_index (domain=domain1 OR domain=domain2)
| streamstats dc(domain) as dc_domain range(_time) as interval window=2 global=f by src_ip
| where dc_domain=2 AND interval < 120
| table src_ip
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 03:52 AM

Hi @Daniel_K,

let me understand: you want to know the IPs that queried both the domains, is is it correct?

In this case, please, try something like this:

index=your_index (domain=domain1 OR domain=domain2)
| stats dc(domain) AS dc_domain BY src_ip
| where dc_domain=2
| table src_ip

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...