Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to match values within a multi-value column

joeldavideng
Path Finder
‎10-15-2017 03:54 PM

I'm putting together a search that lists all of the IP addresses associated with scanning my firewall. Due to the fact that hundreds of IP addresses scan my firewall everyday, I'd like to be able to focus on the ones that found my remote access port. I have a search that correctly lists all scanner IP addresses, but I'm not sure how to then search the distinct values returned by the search within a multi-value column. Can you let me know what to add to this search to filter on only source_ips that hit a destination_port equal to some arbitrary number?

index=physical_defenses sourcetype=pfsense
| stats dc(destination_port) AS distinct_destination_port_count values(destination_port) AS destination_ports by source_ip destination_ip
| where distinct_destination_port_count>2
| table source_ip destination_ports distinct_destination_port_count

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andre_tucker
Path Finder
‎10-15-2017 04:02 PM

There are several ways that this can be done. One method could be adding
| search destination_ports=*4135* however that isn't very elegant. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. Ex
| eval remote_access_port = mvfilter(destination_ports="4135")

View solution in original post

Reply
Solved! Jump to solution
Solution

andre_tucker
Path Finder
‎10-15-2017 04:02 PM

There are several ways that this can be done. One method could be adding
| search destination_ports=*4135* however that isn't very elegant. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. Ex
| eval remote_access_port = mvfilter(destination_ports="4135")

View solution in original post

Reply
Solved! Jump to solution

joeldavideng
Path Finder
‎10-15-2017 04:06 PM

Thanks for the quick turnaround on the help. I wasn't able to get the first method working, I'm not sure if that was meant to be a sub-search or something, but the second method of using an mvfilter worked like a charm.

0 Karma
Reply
The Latest From the Splunk Community!