Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I list unique IPs of infected computers per day and then list new IPs from the previous day?

Log_wrangler
Builder
‎10-17-2018 02:33 PM

I have a query that looks at SEP logs.

index=SEP  Sig_String='Attack: Bad Stuff"  Remote_IP=10.* | bin _time span=1d | stats values(Remote_IP) dc(Remote_IP) by _time

that gives me a list of infected IPs per day but I cannot figure out how to identify the new IPs from the previous day...

I am looking for a list of IPs per day and a list of new IPs seen on that day (not seen on the previous day) to display in results.

Please advise,
Thank you

0 Karma
Reply

woodcock
Esteemed Legend
‎10-24-2018 10:18 AM

Try this

index=SEP  Sig_String='Attack: Bad Stuff"  Remote_IP=10.*
| bin _time span=1d
| reverse
| nomv IPs
| streamstats current=f last(*) AS prev*
| eval newIPcount = mvcount(mvdedup(split(IPs . " " . prevIPs, " "))) - prevIPcount
0 Karma
Reply

Log_wrangler
Builder
‎10-26-2018 06:21 AM

Thank you for the reply. I will dig into and see what I can do with your code.

0 Karma
Reply

baldwintm
Path Finder
‎10-24-2018 04:38 AM

Does this give you the results that you need?

index=SEP  Sig_String="Attack: Bad Stuff"  Remote_IP=10.* earliest=-2d@d latest=@d | bin _time span=1d | stats count by Remote_IP, _time | stats count, latest(_time) as recent by Remote_IP | eval yesterday=relative_time(now(),"-1d@d") | where count=1 AND recent>=yesterday

What this does is looks at the last 2 days, and then counts each IP by day (the count here isn't important, but its more efficient than dedup), then we count those just by IP. This will give us a count field that will be a "1" if that IP only shows up on one of days, or a "2" if that IP shows up both days, and a recent field that will have a timestamp indicating which day was the most recent day. Then we create a field called "yesterday" that has the timestamp of midnight yesterday. This will allow us to filter our results to only show IP's that sent logs yesterday, but not the day before.

0 Karma
Reply

Log_wrangler
Builder
‎10-26-2018 06:20 AM

Thank you for the reply. Sorry for the delayed response.

This does not really give me what I need. Perhaps I did not explain well.

I would like to be able to set a time range e.g. 7 days ago and table the IPs per day... ideally showing new IPs for the consecutive days, but now I have been requested to show e.g. Monday 10/22/2018 New IPs, Existing IPs... Tuesday New, Existing, Wednesday, New, Existing, etc.... The time format is not that important as long as the date readable...

I am not sure how to tackle this.

hope that makes sense...

0 Karma
Reply

Log_wrangler
Builder
‎10-26-2018 06:30 AM

if I try 

index=SEP  Sig_String='Attack: Bad Stuff"  Remote_IP=10.*| bin _time span=1d | timechart dc(Remote_IP) values(Remote_IP)

I just need to break out the results by new and existing.... hope that makes sense..

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top