Splunk Search

Search Same URLs between two endpoints, each endpoint different time range

pkohn117
Explorer

I'm trying to find what URLs are the same that two endpoints went to, but at different times.

Example: What URLs did endpoint 1 go to between 7 and 7:15AM Monday morning, what URLs did endpoint 2 go to on Tuesday afternoon between 4 and 4:15PM, and list the URLs that are the same. I also have an exclusion for some common URLs like google.com. The point of this is when malicious traffic is detected from two endpoints going to the same destinations, check to see what other URLs they went to that were the same.

Here is what I have but it doesn't limit the time so there are a ton of extra URLs that shouldn't be showing:

index=web sourcetype=proxya filter_result=success c_ip=X.X.X.X OR c_ip=y.y.y.y NOT cs_host IN ( google.com, bing.com, etc.org ) | dedup cs_host, c_ip | eventstats count by cs_host | where count = 2 | table _time c_ip cs_host | sort -_time

Tags (1)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...