Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate a search to find persistent connections between client workstations to the internet?

pdumblet
Explorer
‎03-07-2017 01:01 PM

I have squid proxy log that I want to mine for persistent connections from my client workstations to the internet (ie: teamviewer, gotomypc, spyware C&C, etc).

Looking to do a search to determine if clients connect to the same URL or IP address during each 1 hour period of the prior 24 hours.

I have started with this search:

index=proxy | bucket _time span=1h | stats count by _time,user,url | sort - user

Which gives me a list of all urls by user by count, I think I need to then search this query for all occurrences by user by hour for each URL to determine if they are in all 24 hour periods.

Suggestions? Thoughts? Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎03-09-2017 04:49 PM

You were so close; run your search for Last 24 hours and tack this onto the end of it:

| eventstats count(eval(count>0)) AS hours_non_zero BY user url | search hours_non_zero>=24
0 Karma
Reply

somesoni2
Revered Legend
‎03-07-2017 02:41 PM

Give this a try. This will give your all users and hours and url for last 24 hrs where a user-url combination did not appear for all 24 hrs.

index=proxy  earliest=-24h@h latest=@h | bucket _time span=1h | stats count by _time,user,url  | eventstats dc(_time) as totalHours by user,url | where totalHours<24
0 Karma
Reply

woodcock
Esteemed Legend
‎03-09-2017 04:49 PM

I think your < should be a =, right?

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...