Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate a search to find persistent connections between client workstations to the internet?

pdumblet
Explorer
‎03-07-2017 01:01 PM

I have squid proxy log that I want to mine for persistent connections from my client workstations to the internet (ie: teamviewer, gotomypc, spyware C&C, etc).

Looking to do a search to determine if clients connect to the same URL or IP address during each 1 hour period of the prior 24 hours.

I have started with this search:

index=proxy | bucket _time span=1h | stats count by _time,user,url | sort - user

Which gives me a list of all urls by user by count, I think I need to then search this query for all occurrences by user by hour for each URL to determine if they are in all 24 hour periods.

Suggestions? Thoughts? Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎03-09-2017 04:49 PM

You were so close; run your search for Last 24 hours and tack this onto the end of it:

| eventstats count(eval(count>0)) AS hours_non_zero BY user url | search hours_non_zero>=24
0 Karma
Reply

somesoni2
Revered Legend
‎03-07-2017 02:41 PM

Give this a try. This will give your all users and hours and url for last 24 hrs where a user-url combination did not appear for all 24 hrs.

index=proxy  earliest=-24h@h latest=@h | bucket _time span=1h | stats count by _time,user,url  | eventstats dc(_time) as totalHours by user,url | where totalHours<24
0 Karma
Reply

woodcock
Esteemed Legend
‎03-09-2017 04:49 PM

I think your < should be a =, right?

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...