Solved: SPL: Searching the Network Traffic for anything t...

itsmevic · ‎12-31-2019

Hello fellow Splunkers ( :

Does anyone have some SPL laying around that shows network traffic that is NOT United States based both source and destination standpoints.  I'd like to be able to monitor any of this type of traffic on my network via Splunk.

itsmevic · ‎01-23-2020

index=* sourcetype=* action="*"
|stats count by host,src_ip,dest_ip,port
|where src_ip!="United States"

OR

Index=* sourcetype=* action="*"
| stats count by src_ip dest_ip
|iplocation src_ip dest_ip
| where Country != "United States"
|geostats latfield=lat longfield=lon count by Country

View solution in original post

itsmevic · ‎01-23-2020

index=* sourcetype=* action="*"
|stats count by host,src_ip,dest_ip,port
|where src_ip!="United States"

OR

Index=* sourcetype=* action="*"
| stats count by src_ip dest_ip
|iplocation src_ip dest_ip
| where Country != "United States"
|geostats latfield=lat longfield=lon count by Country

to4kawa · ‎12-31-2019

will you provide sample log?
Is country identification (maxmind geolite2 ) a problem?
Do you update country data?

SPL: Searching the Network Traffic for anything that is not (!=) United States

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life