Splunk Query for user accessing assets

sarwshai · ‎04-07-2020

Hi All,

I need to create a query where user access a same destination from 5 or more sources, also in that query opposite should also be achieved i.e. 5 or more destination and 1 source, is it possible?

gcusello · ‎04-07-2020

Hi @sarwshai,
you have to use the stats command with the dc (distinct_count) option.
e.g. something like this:

index=your_index
| stats dc(src_ip) AS dc_src BY user dts_ip
| where dc_src>5

or in the other case:

index=your_index
| stats dc(dst_ip) AS dc_dst BY user src_ip
| where dc_dst>5

Ciao.
Giuseppe

sarwshai · ‎04-07-2020

Thanks @gcusello , however i want both conditions in same search itself.

gcusello · ‎04-07-2020

Hi @sarwshai,
try something like this (it runs if the second search has less than 50,000 results!):

index=your_index
| stats dc(src) AS dc_src values(src) AS src BY user dst
| where dc_src>5
| append [ search 
     index=your_index
     | stats dc(dst) AS dc_dst values(dst) AS dst BY user src
     | where dc_dst>5
     ]
| table user src dst

Ciao.
Giuseppe

sarwshai · ‎04-08-2020

Thanks @gcusello , it kind of worked for me.

gcusello · ‎04-08-2020

Hi @sarwshai,
You're welcome!
if this answer solves your need, please accept it for the other people of Community.

Ciao and next time.
Giuseppe

Splunk Query for user accessing assets

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?