Solved: SPL: Searching the Network Traffic for anything t...

itsmevic · ‎12-31-2019

Hello fellow Splunkers ( :

Does anyone have some SPL laying around that shows network traffic that is NOT United States based both source and destination standpoints.  I'd like to be able to monitor any of this type of traffic on my network via Splunk.

itsmevic · ‎01-23-2020

index=* sourcetype=* action="*"
|stats count by host,src_ip,dest_ip,port
|where src_ip!="United States"

OR

Index=* sourcetype=* action="*"
| stats count by src_ip dest_ip
|iplocation src_ip dest_ip
| where Country != "United States"
|geostats latfield=lat longfield=lon count by Country

View solution in original post

itsmevic · ‎01-23-2020

index=* sourcetype=* action="*"
|stats count by host,src_ip,dest_ip,port
|where src_ip!="United States"

OR

Index=* sourcetype=* action="*"
| stats count by src_ip dest_ip
|iplocation src_ip dest_ip
| where Country != "United States"
|geostats latfield=lat longfield=lon count by Country

to4kawa · ‎12-31-2019

will you provide sample log?
Is country identification (maxmind geolite2 ) a problem?
Do you update country data?

SPL: Searching the Network Traffic for anything that is not (!=) United States

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...