Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to match values within a multi-value column

joeldavideng
Path Finder
‎10-15-2017 03:54 PM

I'm putting together a search that lists all of the IP addresses associated with scanning my firewall. Due to the fact that hundreds of IP addresses scan my firewall everyday, I'd like to be able to focus on the ones that found my remote access port. I have a search that correctly lists all scanner IP addresses, but I'm not sure how to then search the distinct values returned by the search within a multi-value column. Can you let me know what to add to this search to filter on only source_ips that hit a destination_port equal to some arbitrary number?

index=physical_defenses sourcetype=pfsense
| stats dc(destination_port) AS distinct_destination_port_count values(destination_port) AS destination_ports by source_ip destination_ip
| where distinct_destination_port_count>2
| table source_ip destination_ports distinct_destination_port_count

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andre_tucker
Path Finder
‎10-15-2017 04:02 PM

There are several ways that this can be done. One method could be adding
| search destination_ports=*4135* however that isn't very elegant. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. Ex
| eval remote_access_port = mvfilter(destination_ports="4135")

View solution in original post

Reply
Solved! Jump to solution
Solution

andre_tucker
Path Finder
‎10-15-2017 04:02 PM

There are several ways that this can be done. One method could be adding
| search destination_ports=*4135* however that isn't very elegant. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. Ex
| eval remote_access_port = mvfilter(destination_ports="4135")

Reply
Solved! Jump to solution

joeldavideng
Path Finder
‎10-15-2017 04:06 PM

Thanks for the quick turnaround on the help. I wasn't able to get the first method working, I'm not sure if that was meant to be a sub-search or something, but the second method of using an mvfilter worked like a charm.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...