Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for Top 2-way communicators using top src_ip,dest_ip to find top dest_ip,src_ip?

jcrochon
Explorer
‎07-23-2018 01:23 PM

Hello all,

I have some IDS alerts "top src_ip,dest_ip" in which I want to see if the dest_ip is contacting the src_ip's. This would lead me to investigate the communications between the 2 IP's, else if the dest_ip is not communicating back, I would ignore and move on.

Top Src_IP (Internet)   ->    Top Dest_IP (Local) | HitCount
**1.2.3.4**  ->  192.168.1.2  | 254
**4.3.2.1**  ->  192.168.1.4  | 245

Lookup Table (Src_IP)
**1.2.3.4**
**4.3.2.1**

Search question: Is the Top Dest_IP's (Local) contacting back to Lookup Table Src_IP's (Internet):

Top Dest_IP (*aka new Src_IP*) -> Top Src_IP (* aka new Dest_IP*) | HitCount
192.168.1.2 -> **1.2.3.4** | 20
192.168.1.4 -> **4.3.2.1** | 30

I have been working with something like this: source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest | table src_ip ] | top dest_ip,src_ip

I'm not getting any results -- I humbly assume it's my error -- I should be seeing some communication back.

Please double-check my design and thank you for all the help.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-23-2018 01:46 PM

Give this a try

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

View solution in original post

Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-23-2018 01:48 PM

Added swap of src_ip as new destination:

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | rename src_ip AS newDest | table newDest ] | rename dest_ip AS newSrc | top newSrc,newDest

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎07-23-2018 01:56 PM

Your rename command should rename the field according to the name it's available in your logs (the field name in your logs (source="/var/log/alerts.log") is src_ip and dest_ip, so the subsearch should return field either src_ip or dest_ip.

Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-23-2018 04:08 PM

Thank you for the clarification. I need to learn more about how searching works. I was trying to use temp vars as in programming.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-23-2018 01:46 PM

Give this a try

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip
Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-24-2018 09:43 AM

One caveat, remove the dest_ip="192.168.*" from the secondary search due to search collisions, such as src_ip="192.168.*" && dest_ip="192.168.*"

source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

0 Karma
Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-24-2018 01:41 PM

Added better stats (single src to multiple dest):

source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*") | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | stats values(dest_ip),values(name),count(name) by src_ip | sort - count(name)

0 Karma
Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-24-2018 07:26 AM

That worked as expected. I would like to give you credit if you can make this an answer instead of a comment.

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎07-24-2018 07:43 AM

Here you go.

Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...