Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query about Port Scanning attack attempts

zeeshantayyab
Loves-to-Learn
‎04-28-2022 12:18 AM

Hi Team,

Please help me out in this case.

I am searching the Port Scanning attack attempts by the following query.

Spoiler
index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500

It Shows me the results in forms only like sorce_ip is 145.132.11.11 and count 777.

But I want the results in the form of 

Sorce_ip      sorce_port     destination_ip      destnation_port      pcount

So what will be the query in this regard? Waiting for your kind reply.

Labels (3)
0 Karma
Reply

zeeshantayyab
Loves-to-Learn
‎04-28-2022 12:37 AM

hi @gcusello 

Thanks for helping me. please guide me more on how we can add the destination IP as well in this query.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-28-2022 02:57 AM

Hi @zeeshantayyab,

you could add also the destination_ip to the search using values:

index="firewall" 
| stats dc(destination_port) as pcount values(destination_ip) AS destination_ip values(destination_port) AS destination_port by source_ip 
| where pcount > 500

but in this way you have a few readable dashboard, my hint is to create a simple main search

index="firewall" 
| stats dc(destination_port) as pcount by source_ip 
| where pcount > 500

then you can configure a drilldown in another panel of the same dashboard or in another dashboard where there's the details of your connections:

index="firewall" source_ip=$source_ip$
| stats values(destination_port) AS destination_port by destination_ip

if you need help in drilldown configuration you can see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/) how to do this.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-28-2022 12:23 AM

Hi @zeeshantayyab,

I think that it isn't so readable, but you could a values option to your search, something like this:

index="firewall" 
| stats dc(destination_port) as pcount values(destination_port) AS destination_port by source_ip 
| where pcount > 500

probably the best approach is to have a main panel with your search and, with a click, a drilldown in another panel or another dashboard with the details of al destination port and other information.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...