I have a set of sources that access multiple destinations(IPs)
New to Splunk
The query has to be set in such a way that an alert is triggered when any user accesses more than 5 distinct destinations within 30 sec window.
So far I am able to get distinct destinations accessed by each source by using:
index= ....... | stats values(destnIP) by sourceIP
The challenge that I am facing is :
1.For 'x' number of destnIP for every sourceIP, new column should be created which reflects the number 'x' as in the count of destnIP
2. Unable to use commands- count, eval, etc after stats
index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time
This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.
So, this is totally for my own network so you'll have to adjust it for your own needs (just fieldnames), but it searches a 30 second window counting what you need.
index=fw src_ip=*
| sort - _time
| streamstats time_window=30s dc(DST) as CountOfDistinctDests, count(DST) as CountOfDests, values(DST) as DestsList
| stats list(DestsList) AS Destinations, sum(CountOfDistinctDests) AS "Count of Distinct Destinations"
sum(CountOfDests) AS "Count of Destinations" BY src_ip
| search "Count of Destinations">5
| table src_ip, Destinations, "Count of Distinct Destinations", "Count of Destinations"
So, fix up the fields (DST, src_ip, etc...) and obviously the index and stuff at the base search.
index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time
This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.
index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time
This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.
Thankyou so much.
I could successfully get the required output
No problem! Thinking about this a bit more I should note that the 30 second bins essentially reset the count every 30 seconds. So it would catch if there were 5 connections from 12:30:00-12:30:30, but if the 5 connections occurred 12:30:15-12:30:45 it would have reset the count at 12:30:30 and would not be a running count over a 30 second span.
I'm not sure if this is suitable for you but may be something to consider. I'm still looking at how it could maintain a running count and drop the event count as it hits 30 seconds older than the newest event in the count.
That sounds like a task for streamstats with time_window=30s
.
Strange, gave me access denied posting as an answer but let me post it as a comment...
index= ....... | stats count values(destnIP) by sourceIP
Adding the count
in there will give you a count in that stats. Try that.
Thank you for your reply.
I could get the count as the total number of destnIP accessed by the sourceIP
I am unable to the the number of distinct IPs accessed (which is displayed in the Values (destnIP) column
Thus the number of destnIPs is mot matching the count as count is displayed total (it is also counting when a single IP is accessed multiple times)
Thankyou so much for your help