Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K
Explorer
‎03-21-2022 03:48 AM

Hi experts,

I would appreciate some design help with a query where I want to see all src_ip's querying for two different domains within X minutes of time interval during a longer time period.

🙂

 

 

 

0 Karma
Reply

BahadirS
Path Finder
‎03-21-2022 10:27 AM

Hello @Daniel_K ,

I think I understand what you are trying to do.

You could use  bucket/bin command. Then use time field to group other fields.

For X=5 minutes

index=something 
| bucket span=5m _time
| stats count by src_ip, _time

 

0 Karma
Reply

Daniel_K
Explorer
‎03-21-2022 05:12 AM

Thanks Giuseppe!

That search worked just fine but if you help me even more it would be great. Let's assume that both queries must be within X minutes of time but the complete query time is earliest=Y and latest=Z.

🙂

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 06:21 AM

Hi @Daniel_K,

sorry but I don't understand your request: you can choose the earliest and latest values using the Time Picker or the Time Modifiers (https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers or https://docs.splunk.com/Documentation/Splunk/8.2.5/Search/Specifytimemodifiersinyoursearch).

So what's your question?

Ciao.

Giuseppe

Reply

Daniel_K
Explorer
‎03-21-2022 06:49 AM

Yes, you're correct and  I was unclear.

I wanted the result to be whenever the 2 different domains where queried within a specific time frame.
Your suggestion was great and @ITWhisperer tweaked it a bit more to satisfy the needs.

 I still think the search could be improve by:

* Group based on src_ip with only one line with the different domains within the time frame
* If any query as it is now gives more than one hit - the result will be wrong, right?

🙂

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 07:45 AM

I am not sure what you are asking here - you will get a "hit" each time the domain changes for a src_ip within the short period of time. You could dedup by src_ip to pick up on src_ip hitting both domains at any time in the overall time period, or even count by src_ip to find how many times the src_ip switched from one domain to the other. It depends on what it is that you are looking for.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 05:39 AM 
index=your_index (domain=domain1 OR domain=domain2)
| streamstats dc(domain) as dc_domain range(_time) as interval window=2 global=f by src_ip
| where dc_domain=2 AND interval < 120
| table src_ip
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 03:52 AM

Hi @Daniel_K,

let me understand: you want to know the IPs that queried both the domains, is is it correct?

In this case, please, try something like this:

index=your_index (domain=domain1 OR domain=domain2)
| stats dc(domain) AS dc_domain BY src_ip
| where dc_domain=2
| table src_ip

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...