Splunk Search

How to combine my 2 searches to list all source and destination IPs based on same destination port?

Path Finder

I'm trying to get my current 2 searches into 1. I am trying to get a list of all source and destination ip's based on the same destination port. I have it in 2 searches by doing this on the end of my search:

| stats count by src_ip

second search

| stats count by dest_ip

basically i just need a list of all source ip's and a list of all dest ip's that have the same dest port

any tips or help would be greatly appreciated

Tags (3)
0 Karma
1 Solution

Path Finder

i figured it out

| stats values(src_ip),values(dest_ip) by dest_port

View solution in original post

0 Karma

Path Finder

i figured it out

| stats values(src_ip),values(dest_ip) by dest_port

View solution in original post

0 Karma

Explorer

Thanks, this helped me resolve a similar question. I was trying to get a list single list of website actions by IP address for a given date, and this helped me figure it out:

| stats values(actions), earliest(datetime) by src_ip

0 Karma

Hi if you need a list of all source ip's and dest
ip's that have the same dest port

try something like:

......|eval src_dest_ip=coalesce(dest_ip,src_ip)|stats values (src_dest_ip)|where ......condition on ip's....

0 Karma

Path Finder

this puts it all into one list i need them in 2 lists one list for src and one list for dest

0 Karma

Builder

Hello.
try this:

index=... soucetype=... dest_port=*| stats count by src_ip| stats count by dest_ip| table src_ip dest_ip dest_port
0 Karma

Path Finder

this give 0 results

0 Karma

Path Finder

i didnt think you can do 2 stats commands like that in a row because the second one wouldnt have any results because there is no dest ip to count by from the first stats command

0 Karma

Builder

... dest_port=*| table src_ip dest_ip dest_port

0 Karma

Path Finder

yeah i tried that already it shows each src and dest ip paired together

0 Karma

Builder

what do you want now?

0 Karma

Path Finder

a list of all source ip's and a list of all destination ip's for any given destination port. the way you have it shows each ip talking together i dont need that. I just need a list of the ip's not whats talking to what.

0 Karma

Builder

for example, if you've number of port 8000, you want something like this?

dest_port=8000| table src_ip dest_ip dest_port
0 Karma

Path Finder

no so if you do that it lists out multiple results if there are any. for example if there are 10 src ip's that are 1.1.1.1 it list that 10 times. same with dest ip's. so i guess i need unique source ip's and unique dest ip's. sorry i should have put unique values in my question.

0 Karma

Builder

Ok now i understand you better. Use de commande dedup to have unique values. Try this:

dest_port=8000| dedup src_ip | dedup dest_ip | table src_ip dest_ip dest_port
0 Karma

Path Finder

yep already tried that one too. It cuts out some of the ip's for some reason. So like if i run my 2 separate searches i get 9 total src ip's and 20 total dest ip's. i run this and its only giving me 8 of each. so 1 src ip and 12 dest ip's disappeared.

0 Karma

Path Finder

i thought i had it with

| dedup src_ip | stats list(src_ip), list(dest_ip) by dest_port

but its still showing multiple of the same dest ip's

0 Karma

Builder

try this

|transaction dest_port|table dest_port, src_ip, dest_ip

0 Karma

Path Finder

that's still grouping them together somehow. Its making multiple rows with not all the same results in each row

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!