Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to analyse the traffic of specific ip address , dest with port?

Jana42855
Explorer
‎09-13-2023 07:35 AM

Hi All,

i didn't get the result by using this below  query search. 
how to check and confirm the index and source type specifically to precise the query

index=*| search src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443

How to confirm the source type and index

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Jana42855
Explorer
‎09-13-2023 09:05 AM

Hi Thanks for the reply..

yes I have some index and sourcetypes
but I don't know how to choose the index and sourcetypes for this ip address

Thanks,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 12:59 AM

Hi @Jana42855,

the first step is to know the data to search, otherwise it's very difficoult!

Anyway, you could start to run a search like the following:

index=<your_index> (src=* OR dest_ip=* OR dest_port=*)

in this way you have all the events containing these fields.

then you can analyze them  and identify index and sourcetype to use.

Remember that you can see only the indexes where you were enabled, in other words, if you don't have grants to access an index you don't see it.

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-13-2023 11:56 PM
yes I have some index and sourcetypes
but I don't know how to choose the index and sourcetypes for this ip address

Can you confirm this: So you want to know which index/indices, and which sourcetype(s) contain records of interest.  Is this correct?

index=* src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443
| stats count by index sourcetype

This should give you  a list of index-sourcetype combinations that contain the specific IP and port. (Also, if you can use search command immediately following a search command, the two search commands should be combined into one. (The first command is an implied "search".)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2023 08:52 AM

Hi @Jana42855 ,

I suppose that you already have the log indexed and stored in an index with one sourcetype.

At first you should define the index where the logs are stored and the sourcetype to use.

Then, using this index and this sourcetype, you should check if the field names are correct (field names are case sensitive) and if the fields to use in the search ( src, dest_ip, dest_port) are present in all events.

then you don't need to use the search command, put all the parameters in the main search, you'll have a more performant search, then don't use index=*, because is slower than index=your_index.

index=<your_index> src=**.**.***.** OR **.**.***.** dest_ip=**.***.***.*** dest_port=443

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...