Splunk Search

Top 10 IP along w/ top 4 ports

Contributor

Hello Splunkers,
I'm looking to build a search w/ chart that tracks top 10 source IP's in a firewall but also a listing of the actual ports each IP is using. So like a top 10 src_ip and then the top 3 ports (dest_port) that each of the src_ip's is using. Does that make sense?
I can make the top 10 src_ip happen but I'm having trouble w/ adding the top 3 ports on top of that.
I've so far been able to list the total number of ports but not which actual ports the IP's are using the most.
Does that make sense?
Thanks for any assistance.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

stats count by src_ip,port

View solution in original post

SplunkTrust
SplunkTrust

Try this

 index=firewall host=ofw.Cadence.COM [search index=firewall host=ofw.Cadence.COM | top 10 src_ip | table src_ip]| stats count by src_ip,port | streamstats count as sno by src_ip | where sno < 4 | table src_ip, port,count

Contributor

Hey I think I found it! Check it out:
index=firewall host=ofw.Corp.COM NOT ran.dom.ip.add [search index=firewall host=ofw.Corp.COM | top 15 src_ip | table src_ip] | stats count by src_ip,dest_port | chart sum(count) by src_ip dest_port

0 Karma

Contributor

So close! That got us the correct X line with the IP's at the bottom but the graph stacks did not list the used port numbers or limit the number of IP's according to the top 10 search.
This search (below) does stack the ports properly and it does provide a legend. Does not list or limit IP's though. Check it out: index=firewall host=ofw.Corp.COM | stats count by src_ip,dest_port | chart sum(count) by src_ip dest_port
here is a link to the article: http://answers.splunk.com/answers/46246/how-do-i-create-a-firewall-report-with-both-destination-ip-a...
Thanks for your help.

0 Karma

SplunkTrust
SplunkTrust

I updated the answer based on your example. Let me know if that works.

0 Karma

Splunk Employee
Splunk Employee

stats count by src_ip,port

View solution in original post

Splunk Employee
Splunk Employee

Another way is:

stats values(port) by src_ip
or
stats list(port) by src_ip

0 Karma

Contributor

The comma. Brilliant. Thank you. Did not think to use that. The result is very close to what I am trying to get visualize and it's the closest I've come to it but I'm essentially trying to get a top 10 for src_ip and then combine it w/ a top 3 for dest_port so I have a bar graph where the X axis lists each IP and on top of each IP (y axis) is a stacked bar/graph indicating each port used and each stack in the bar indicates how many times each port has been used.
Does that make sense?
Thank you very much for your help!

0 Karma