Solved: Query to capture distinct source IP who triggered ...

sumit29 · ‎12-23-2015

Dear Experts,

I require help to create the query.
I am creating the rule if single(unique) source triggered distinct signature(more than 2) . Than only we should get the result.

Fields involved src,signature,count

Thanks in advance

dcarmack_splunk · ‎12-23-2015

Gotcha. Try this for your stats then.

... | stats values(signature) as signatures by src | eval sig_count=mvcount(signature) | where sig_count >= 2

View solution in original post

dcarmack_splunk · ‎12-23-2015

Gotcha. Try this for your stats then.

... | stats values(signature) as signatures by src | eval sig_count=mvcount(signature) | where sig_count >= 2

sumit29 · ‎12-23-2015

Thanks :)....

dcarmack_splunk · ‎12-23-2015

no problem, glad to help!

dcarmack_splunk · ‎12-23-2015

index= sourcetype= | fields src signature | stats count by src signature | where count >= 2

sumit29 · ‎12-23-2015

Thanks, But this query only gives signature count along with src , I require count of signature from single source.

Let say source 10.10.10.10 trigger signature name = x and another signature name =y . so this source triggered 2 distinct signature . This what i am looking

Query to capture distinct source IP who triggered multiple signatures

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services