Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search use stats count filter two fields?

longmen
Path Finder
‎04-27-2023 11:01 AM

Hi All,

I am doing a search for src_ip and DestAdd in a database within a 1 minute time frame. I need to look for src_ip which value that is not greater than 1 and DestAdd that is not greater than 5. Here is the description of the problem: when any of these with the same source IP more than 1 time, across more than 5 destination IP within 1 minutes. I wonder if my query correct. Can anyone advise? Thanks 

 

|bin span=1m _time |stats count(src_ip) as src_ip, count(DestAddress) as DestAddress by _time  |where (src_ip > 1 and DestAddress>5)

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-27-2023 11:04 PM

One thing is not completely clear in your description.  Any src_ip that makes contact with "more than 5 destination IP within 1 minutes" must have appeared "more than 1 time" during the same minute.  Is there some additional constraint?

If there is no additional condition, you can use this search

| bin span=1m _time
| stats dc(DestAddress) as unique_dest by src_ip _time
| where unique_dest > 5

This is assuming that src_ip and DestAddress are present in the same event.  The question doesn't seem to make sense if an event only contains src_ip or DestAddress but not both, unless there is some other way to link src_ip and DestAddress.  If that is the case, you will need to analyze that link.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-27-2023 11:04 PM

One thing is not completely clear in your description.  Any src_ip that makes contact with "more than 5 destination IP within 1 minutes" must have appeared "more than 1 time" during the same minute.  Is there some additional constraint?

If there is no additional condition, you can use this search

| bin span=1m _time
| stats dc(DestAddress) as unique_dest by src_ip _time
| where unique_dest > 5

This is assuming that src_ip and DestAddress are present in the same event.  The question doesn't seem to make sense if an event only contains src_ip or DestAddress but not both, unless there is some other way to link src_ip and DestAddress.  If that is the case, you will need to analyze that link.

 

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...