Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for total number of src_ip connections to a dest_ip?

Gurv_Bahad
Engager
‎03-06-2022 06:31 AM

trying to list the total number of allowed connections to a destination IP from any/all source IP's

currently using the following search,

index=firewall_usa dest_ip=xx.xx.xx.xx action=allowed 
| stats count BY src_ip dest_ip
| where count > 1
| sort – count

 

Is there a better/ quicker way to do this

 

0 Karma
Reply

Gurv_Bahad
Engager
‎03-07-2022 06:20 AM

Appreciate the assistance from the experts here.

The ask has developed.

I'm looking to list total connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and also if possible to determine when during the day do the number of connections peak.
Any help would be greatly appreciated.

Thanks in advance



Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2022 09:42 AM

You probably have several, possibly different, network devices. Good practice would be to install the CIM app and parse all your network sources to be CIM-compliant (usually add-ons do that) and get the data into Network Traffic datamodel.

If you have lots of events, you can accelerate the datamodel so you only use accelerated summaries for your searches, not the raw data. It's much, much quicker this way.

0 Karma
Reply

Gurv_Bahad
Engager
‎03-07-2022 04:36 AM

Thanks for your response;

Yes we do have several different network devices, all except firewall traffic goes to a network traffic index with FW events going to a separate index,  but I believe CIM compliance has been taken care of. 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎03-06-2022 06:58 AM

Hi @Gurv_Bahad 

This might help, 

Howerver what is your expected output 

Accordingly we can modify SPL to show the output 

index=firewall_us dest_ip=xx.xx.xx.xx action=allowed 
| stats list(src_ip) as soucre count by dest_ip

| where count > 1
| sort – count 

0 Karma
Reply

Gurv_Bahad
Engager
‎03-06-2022 09:02 AM

Thanks for the response Sanjay.

index=firewall_us dest_ip=xx.xx.xx.xx action=allowed 
| stats list(src_ip) as source count by dest_ip

| where count > 1
| sort – count 

This doesn't return any results at all
Actually I'm just looking for the total number of connections to the destination IP regardless of source IP.


0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...