- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
itsmevic
Communicator
12-31-2019
11:08 AM
Hello fellow Splunkers ( :
Does anyone have some SPL laying around that shows network traffic that is NOT United States based both source and destination standpoints. I'd like to be able to monitor any of this type of traffic on my network via Splunk.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
itsmevic
Communicator
01-23-2020
12:02 PM
index=* sourcetype=* action="*"
|stats count by host,src_ip,dest_ip,port
|where src_ip!="United States"
OR
Index=* sourcetype=* action="*"
| stats count by src_ip dest_ip
|iplocation src_ip dest_ip
| where Country != "United States"
|geostats latfield=lat longfield=lon count by Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
itsmevic
Communicator
01-23-2020
12:02 PM
index=* sourcetype=* action="*"
|stats count by host,src_ip,dest_ip,port
|where src_ip!="United States"
OR
Index=* sourcetype=* action="*"
| stats count by src_ip dest_ip
|iplocation src_ip dest_ip
| where Country != "United States"
|geostats latfield=lat longfield=lon count by Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-31-2019
02:44 PM
will you provide sample log?
Is country identification (maxmind geolite2 ) a problem?
Do you update country data?
