Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate an alert for every source accessing multiple distinct destinations within a 30 seconds window?

512anagha
New Member
‎04-28-2017 04:23 AM

I have a set of sources that access multiple destinations(IPs)

New to Splunk
The query has to be set in such a way that an alert is triggered when any user accesses more than 5 distinct destinations within 30 sec window.

So far I am able to get distinct destinations accessed by each source by using:

index= ....... | stats values(destnIP) by sourceIP

The challenge that I am facing is :
1.For 'x' number of destnIP for every sourceIP, new column should be created which reflects the number 'x' as in the count of destnIP
2. Unable to use commands- count, eval, etc after stats

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎05-04-2017 05:16 AM 
 index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time

This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.

View solution in original post

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-11-2017 06:15 PM

So, this is totally for my own network so you'll have to adjust it for your own needs (just fieldnames), but it searches a 30 second window counting what you need.

index=fw src_ip=* 
| sort - _time 
| streamstats time_window=30s dc(DST) as CountOfDistinctDests, count(DST) as CountOfDests, values(DST) as DestsList
| stats list(DestsList) AS Destinations, sum(CountOfDistinctDests) AS "Count of Distinct Destinations" 
   sum(CountOfDests) AS "Count of Destinations" BY src_ip 
| search "Count of Destinations">5
| table src_ip, Destinations, "Count of Distinct Destinations", "Count of Destinations"

So, fix up the fields (DST, src_ip, etc...) and obviously the index and stuff at the base search.

0 Karma
Reply
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎05-04-2017 05:16 AM 
 index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time

This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.

Reply
Solved! Jump to solution

mdsnmss
SplunkTrust
SplunkTrust
‎05-03-2017 08:41 AM 
index= ....... | bin _time span=30s | stats values(destnIP) as dests by sourceIP, _time | stats list(dests) dc(dests) as count by sourceIP, _time

This should show sourceIP, the 30 second window of the connections, a list of destnIPs for the sourceIP, and a count of connections in that window. To filter out everything <=5 just add a "| where count>5" on the end.

0 Karma
Reply
Solved! Jump to solution

512anagha
New Member
‎05-03-2017 10:57 PM

Thankyou so much.
I could successfully get the required output

0 Karma
Reply
Solved! Jump to solution

mdsnmss
SplunkTrust
SplunkTrust
‎05-04-2017 05:15 AM

No problem! Thinking about this a bit more I should note that the 30 second bins essentially reset the count every 30 seconds. So it would catch if there were 5 connections from 12:30:00-12:30:30, but if the 5 connections occurred 12:30:15-12:30:45 it would have reset the count at 12:30:30 and would not be a running count over a 30 second span.

I'm not sure if this is suitable for you but may be something to consider. I'm still looking at how it could maintain a running count and drop the event count as it hits 30 seconds older than the newest event in the count.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-11-2017 05:37 PM

That sounds like a task for streamstats with time_window=30s.

0 Karma
Reply
Solved! Jump to solution

mdsnmss
SplunkTrust
SplunkTrust
‎05-03-2017 08:41 AM

Strange, gave me access denied posting as an answer but let me post it as a comment...

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎04-28-2017 04:34 AM 
index= ....... | stats count values(destnIP) by sourceIP

Adding the count in there will give you a count in that stats. Try that.

0 Karma
Reply
Solved! Jump to solution

512anagha
New Member
‎05-03-2017 05:55 AM

Thank you for your reply.

I could get the count as the total number of destnIP accessed by the sourceIP

I am unable to the the number of distinct IPs accessed (which is displayed in the Values (destnIP) column

Thus the number of destnIPs is mot matching the count as count is displayed total (it is also counting when a single IP is accessed multiple times)

Thankyou so much for your help

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...