Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to match values within a multi-value colum...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
joeldavideng
Path Finder
10-15-2017
03:54 PM
I'm putting together a search that lists all of the IP addresses associated with scanning my firewall. Due to the fact that hundreds of IP addresses scan my firewall everyday, I'd like to be able to focus on the ones that found my remote access port. I have a search that correctly lists all scanner IP addresses, but I'm not sure how to then search the distinct values returned by the search within a multi-value column. Can you let me know what to add to this search to filter on only source_ips that hit a destination_port equal to some arbitrary number?
index=physical_defenses sourcetype=pfsense
| stats dc(destination_port) AS distinct_destination_port_count values(destination_port) AS destination_ports by source_ip destination_ip
| where distinct_destination_port_count>2
| table source_ip destination_ports distinct_destination_port_count
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andre_tucker
Path Finder
10-15-2017
04:02 PM
There are several ways that this can be done. One method could be adding
| search destination_ports=*4135* however that isn't very elegant. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. Ex
| eval remote_access_port = mvfilter(destination_ports="4135")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andre_tucker
Path Finder
10-15-2017
04:02 PM
There are several ways that this can be done. One method could be adding
| search destination_ports=*4135* however that isn't very elegant. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. Ex
| eval remote_access_port = mvfilter(destination_ports="4135")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
joeldavideng
Path Finder
10-15-2017
04:06 PM
Thanks for the quick turnaround on the help. I wasn't able to get the first method working, I'm not sure if that was meant to be a sub-search or something, but the second method of using an mvfilter worked like a charm.
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
