Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for Top 2-way communicators using top src_ip,dest_ip to find top dest_ip,src_ip?

jcrochon
Explorer
‎07-23-2018 01:23 PM

Hello all,

I have some IDS alerts "top src_ip,dest_ip" in which I want to see if the dest_ip is contacting the src_ip's. This would lead me to investigate the communications between the 2 IP's, else if the dest_ip is not communicating back, I would ignore and move on.

Top Src_IP (Internet)   ->    Top Dest_IP (Local) | HitCount
**1.2.3.4**  ->  192.168.1.2  | 254
**4.3.2.1**  ->  192.168.1.4  | 245

Lookup Table (Src_IP)
**1.2.3.4**
**4.3.2.1**

Search question: Is the Top Dest_IP's (Local) contacting back to Lookup Table Src_IP's (Internet):

Top Dest_IP (*aka new Src_IP*) -> Top Src_IP (* aka new Dest_IP*) | HitCount
192.168.1.2 -> **1.2.3.4** | 20
192.168.1.4 -> **4.3.2.1** | 30

I have been working with something like this: source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest | table src_ip ] | top dest_ip,src_ip

I'm not getting any results -- I humbly assume it's my error -- I should be seeing some communication back.

Please double-check my design and thank you for all the help.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-23-2018 01:46 PM

Give this a try

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

View solution in original post

Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-23-2018 01:48 PM

Added swap of src_ip as new destination:

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | rename src_ip AS newDest | table newDest ] | rename dest_ip AS newSrc | top newSrc,newDest

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎07-23-2018 01:56 PM

Your rename command should rename the field according to the name it's available in your logs (the field name in your logs (source="/var/log/alerts.log") is src_ip and dest_ip, so the subsearch should return field either src_ip or dest_ip.

Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-23-2018 04:08 PM

Thank you for the clarification. I need to learn more about how searching works. I was trying to use temp vars as in programming.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-23-2018 01:46 PM

Give this a try

source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip
Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-24-2018 09:43 AM

One caveat, remove the dest_ip="192.168.*" from the secondary search due to search collisions, such as src_ip="192.168.*" && dest_ip="192.168.*"

source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip

0 Karma
Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-24-2018 01:41 PM

Added better stats (single src to multiple dest):

source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*") | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | stats values(dest_ip),values(name),count(name) by src_ip | sort - count(name)

0 Karma
Reply
Solved! Jump to solution

jcrochon
Explorer
‎07-24-2018 07:26 AM

That worked as expected. I would like to give you credit if you can make this an answer instead of a comment.

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎07-24-2018 07:43 AM

Here you go.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...