Splunk Search

How to search for total number of src_ip connections to a dest_ip?

Gurv_Bahad
Engager

trying to list the total number of allowed connections to a destination IP from any/all source IP's

currently using the following search,

index=firewall_usa dest_ip=xx.xx.xx.xx action=allowed 
| stats count BY src_ip dest_ip
| where count > 1
| sort – count

 

Is there a better/ quicker way to do this

 

0 Karma

Gurv_Bahad
Engager

Appreciate the assistance from the experts here.

The ask has developed.

I'm looking to list total connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and also if possible to determine when during the day do the number of connections peak.
Any help would be greatly appreciated.

Thanks in advance



Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You probably have several, possibly different, network devices. Good practice would be to install the CIM app and parse all your network sources to be CIM-compliant (usually add-ons do that) and get the data into Network Traffic datamodel.

If you have lots of events, you can accelerate the datamodel so you only use accelerated summaries for your searches, not the raw data. It's much, much quicker this way.

0 Karma

Gurv_Bahad
Engager

Thanks for your response;

Yes we do have several different network devices, all except firewall traffic goes to a network traffic index with FW events going to a separate index,  but I believe CIM compliance has been taken care of. 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @Gurv_Bahad 

This might help, 

Howerver what is your expected output 

Accordingly we can modify SPL to show the output 

index=firewall_us dest_ip=xx.xx.xx.xx action=allowed 
| stats list(src_ip) as soucre count by dest_ip

| where count > 1
| sort – count 

0 Karma

Gurv_Bahad
Engager

Thanks for the response Sanjay.

index=firewall_us dest_ip=xx.xx.xx.xx action=allowed 
| stats list(src_ip) as source count by dest_ip

| where count > 1
| sort – count 

This doesn't return any results at all
Actually I'm just looking for the total number of connections to the destination IP regardless of source IP.


0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...