Splunk Search

Group DNS queries per src_ip where two domains are queried within minutes

Daniel_K
Explorer

Hi experts,

I would appreciate some design help with a query where I want to see all src_ip's querying for two different domains within X minutes of time interval during a longer time period.

🙂

 

 

 

Labels (1)
0 Karma

BahadirS
Path Finder

Hello @Daniel_K ,

I think I understand what you are trying to do.

You could use  bucket/bin command. Then use time field to group other fields.

For X=5 minutes

index=something 
| bucket span=5m _time
| stats count by src_ip, _time

 

0 Karma

Daniel_K
Explorer

Thanks Giuseppe!

That search worked just fine but if you help me even more it would be great. Let's assume that both queries must be within X minutes of time but the complete query time is earliest=Y and latest=Z.

🙂

0 Karma

gcusello
Esteemed Legend

Hi @Daniel_K,

sorry but I don't understand your request: you can choose the earliest and latest values using the Time Picker or the Time Modifiers (https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers or https://docs.splunk.com/Documentation/Splunk/8.2.5/Search/Specifytimemodifiersinyoursearch).

So what's your question?

Ciao.

Giuseppe

Daniel_K
Explorer

Yes, you're correct and  I was unclear.

I wanted the result to be whenever the 2 different domains where queried within a specific time frame.
Your suggestion was great and @ITWhisperer tweaked it a bit more to satisfy the needs.

 I still think the search could be improve by:

* Group based on src_ip with only one line with the different domains within the time frame
* If any query as it is now gives more than one hit - the result will be wrong, right?

🙂

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure what you are asking here - you will get a "hit" each time the domain changes for a src_ip within the short period of time. You could dedup by src_ip to pick up on src_ip hitting both domains at any time in the overall time period, or even count by src_ip to find how many times the src_ip switched from one domain to the other. It depends on what it is that you are looking for.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=your_index (domain=domain1 OR domain=domain2)
| streamstats dc(domain) as dc_domain range(_time) as interval window=2 global=f by src_ip
| where dc_domain=2 AND interval < 120
| table src_ip

gcusello
Esteemed Legend

Hi @Daniel_K,

let me understand: you want to know the IPs that queried both the domains, is is it correct?

In this case, please, try something like this:

index=your_index (domain=domain1 OR domain=domain2)
| stats dc(domain) AS dc_domain BY src_ip
| where dc_domain=2
| table src_ip

Ciao.

Giuseppe

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...