Please help me out in this case.
I am searching the Port Scanning attack attempts by the following query.
It Shows me the results in forms only like sorce_ip is 22.214.171.124 and p count 777.
But I want the results in the form of
Sorce_ip sorce_port destination_ip destnation_port pcount
So what will be the query in this regard? Waiting for your kind reply.
you could add also the destination_ip to the search using values:
index="firewall" | stats dc(destination_port) as pcount values(destination_ip) AS destination_ip values(destination_port) AS destination_port by source_ip | where pcount > 500
but in this way you have a few readable dashboard, my hint is to create a simple main search
index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500
then you can configure a drilldown in another panel of the same dashboard or in another dashboard where there's the details of your connections:
index="firewall" source_ip=$source_ip$ | stats values(destination_port) AS destination_port by destination_ip
if you need help in drilldown configuration you can see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/) how to do this.
I think that it isn't so readable, but you could a values option to your search, something like this:
index="firewall" | stats dc(destination_port) as pcount values(destination_port) AS destination_port by source_ip | where pcount > 500
probably the best approach is to have a main panel with your search and, with a click, a drilldown in another panel or another dashboard with the details of al destination port and other information.