Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query for user accessing assets

sarwshai
Communicator
‎04-07-2020 12:13 AM

Hi All,

I need to create a query where user access a same destination from 5 or more sources, also in that query opposite should also be achieved i.e. 5 or more destination and 1 source, is it possible?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-07-2020 01:06 AM

Hi @sarwshai,
you have to use the stats command with the dc (distinct_count) option.
e.g. something like this:

index=your_index
| stats dc(src_ip) AS dc_src BY user dts_ip
| where dc_src>5

or in the other case:

index=your_index
| stats dc(dst_ip) AS dc_dst BY user src_ip
| where dc_dst>5

Ciao.
Giuseppe

Reply

sarwshai
Communicator
‎04-07-2020 02:16 AM

Thanks @gcusello , however i want both conditions in same search itself.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-07-2020 02:40 AM

Hi @sarwshai,
try something like this (it runs if the second search has less than 50,000 results!):

index=your_index
| stats dc(src) AS dc_src values(src) AS src BY user dst
| where dc_src>5
| append [ search 
     index=your_index
     | stats dc(dst) AS dc_dst values(dst) AS dst BY user src
     | where dc_dst>5
     ]
| table user src dst

Ciao.
Giuseppe

Reply

sarwshai
Communicator
‎04-08-2020 04:27 AM

Thanks @gcusello , it kind of worked for me.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-08-2020 05:16 AM

Hi @sarwshai,
You're welcome!
if this answer solves your need, please accept it for the other people of Community.

Ciao and next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...