Splunk Search

SPL to find the src to dest traffic

AL3Z
Builder

Hi,

Need an spl  from src_ip to dest_ip  would like to know the dest_url, logs and outbound traffic size.

 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

your request isn't so cliear: you want all the events from a src_ip to a src_ip, then the list of dest_urls and outbound traffic size, is it correct?

you should try something like this:

index=your_index sourcetype=your_sourcetype
| stats 
   values(dest_url) AS dest_url
   values(logs) AS logs
   sum(bytes_in) AS bytes_in
   sum(bytes_out) AS bytes_out
   BY src_ip dest_ip
| eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

your request isn't so cliear: you want all the events from a src_ip to a src_ip, then the list of dest_urls and outbound traffic size, is it correct?

you should try something like this:

index=your_index sourcetype=your_sourcetype
| stats 
   values(dest_url) AS dest_url
   values(logs) AS logs
   sum(bytes_in) AS bytes_in
   sum(bytes_out) AS bytes_out
   BY src_ip dest_ip
| eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

Hi @gcusello ,

Eg :
from  specific src_ip= xx.xx.xx.xx to dest_ip =xx.xx.xx.xx

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

if the above search doesn't work for you, but you want to filter for src_ip and dest_ip, you could try:

index=your_index sourcetype=your_sourcetype src_ip="xx.xx.xx.xx" dest_ip="yy.yy.yy.yy"
| stats 
   values(dest_url) AS dest_url
   values(logs) AS logs
   sum(bytes_in) AS bytes_in
   sum(bytes_out) AS bytes_out
| eval traffic_MB_size=(bytes_in+bytes_out)/1024/1024

Ciao.

Giuseppe

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...