Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search web logs for all destination IPs that only a single source IP has requested?

ng87
Path Finder
‎09-03-2015 03:53 AM

So I have web logs 🙂 , weblogs contain source IP, destination IP and other info.
I am trying to write a search that will show me all the destination IP's that only a single source IP has requested.

Example is something like more than 100 source IP's connected to Google's IP, however, only a single IP has connected to hxxp://iambad.com .
Any ideas on how to craft this search? I have been trying using:

| stats count(dest_ip) as DEST by src_ip
| DEST = 1

However, this returns any destination IP that has been visited once PER source IP and not all source IPs.

I hope the above makes sense and you can help

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎09-03-2015 06:38 AM

I think I understand... 

<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1

for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎09-03-2015 06:38 AM

I think I understand... 

<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1

for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list

Reply
Solved! Jump to solution

badarsebard
Communicator
‎09-03-2015 06:13 AM

I'm not sure I understand your example very well, but I can tell you that if you want to view all destination IPs that each source IP has requested you will need to perform a stats command and split by src_ip, (e.g. |stats list(dest_ip) by src_ip). As for the particular function you want, I would recommend checking out list or values first as they are most likely what you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...