Splunk Search

How to search web logs for all destination IPs that only a single source IP has requested?

ng87
Path Finder

So I have web logs 🙂 , weblogs contain source IP, destination IP and other info.
I am trying to write a search that will show me all the destination IP's that only a single source IP has requested.

Example is something like more than 100 source IP's connected to Google's IP, however, only a single IP has connected to hxxp://iambad.com .
Any ideas on how to craft this search? I have been trying using:

| stats count(dest_ip) as DEST by src_ip
| DEST = 1

However, this returns any destination IP that has been visited once PER source IP and not all source IPs.

I hope the above makes sense and you can help

Tags (4)
0 Karma
1 Solution

acharlieh
Influencer

I think I understand...

<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1

for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list

View solution in original post

acharlieh
Influencer

I think I understand...

<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1

for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list

badarsebard
Communicator

I'm not sure I understand your example very well, but I can tell you that if you want to view all destination IPs that each source IP has requested you will need to perform a stats command and split by src_ip, (e.g. |stats list(dest_ip) by src_ip). As for the particular function you want, I would recommend checking out list or values first as they are most likely what you want.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...