Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group same IPs used in time period by user

mobrienmoore1
New Member
‎03-27-2018 08:16 AM

Hello,

I am trying to create a search where the same IP is used more than 50 times by the same email address. So far this is all that I have:

index=* sourcetype=* | stats count by ip | where count > 50

I've tried using various stats commands to add in the usernames, but nothing seems to be working. Any help would be appreciated.

0 Karma
Reply

elliotproebstel
Champion
‎03-27-2018 09:24 AM

Your current search will tell you if the same IP is seen in more than 50 events, regardless of email_address. Assuming the events contain both the email_address and IP, then this should work:

index=* sourcetype=* 
| stats count by email_address, ip 
| where count > 50

If the email_address and IP are not seen in the same event, we'd probably need to see some sample events to help structure a query.

0 Karma
Reply

mobrienmoore1
New Member
‎03-27-2018 09:31 AM

Email addresses and IPs are in the same event. I first want to find all IPs used more than 50 times, then pull the email addresses out of those events where the IP has been found to have been used more than 50 times.

0 Karma
Reply

elliotproebstel
Champion
‎03-27-2018 07:28 PM

When you say "all IPs used more than 50 times", do you mean IPs that have generated at least 50 events in your logs? If so:

index=* sourcetype=*
| stats values(email_address) AS email_address, count by ip
| where count>50

This will return all IP addresses seen in more than 50 events and the email_address values associated with those IP addresses.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...