Splunk Search
Highlighted

Top 10 IP along w/ top 4 ports

Contributor

Hello Splunkers,
I'm looking to build a search w/ chart that tracks top 10 source IP's in a firewall but also a listing of the actual ports each IP is using. So like a top 10 srcip and then the top 3 ports (destport) that each of the srcip's is using. Does that make sense?
I can make the top 10 src
ip happen but I'm having trouble w/ adding the top 3 ports on top of that.
I've so far been able to list the total number of ports but not which actual ports the IP's are using the most.
Does that make sense?
Thanks for any assistance.

0 Karma
Highlighted

Re: Top 10 IP along w/ top 4 ports

Splunk Employee
Splunk Employee

stats count by src_ip,port

View solution in original post

Highlighted

Re: Top 10 IP along w/ top 4 ports

Contributor

The comma. Brilliant. Thank you. Did not think to use that. The result is very close to what I am trying to get visualize and it's the closest I've come to it but I'm essentially trying to get a top 10 for srcip and then combine it w/ a top 3 for destport so I have a bar graph where the X axis lists each IP and on top of each IP (y axis) is a stacked bar/graph indicating each port used and each stack in the bar indicates how many times each port has been used.
Does that make sense?
Thank you very much for your help!

0 Karma
Highlighted

Re: Top 10 IP along w/ top 4 ports

Splunk Employee
Splunk Employee

Another way is:

stats values(port) by srcip
or
stats list(port) by src
ip

0 Karma
Highlighted

Re: Top 10 IP along w/ top 4 ports

SplunkTrust
SplunkTrust

Try this

 index=firewall host=ofw.Cadence.COM [search index=firewall host=ofw.Cadence.COM | top 10 src_ip | table src_ip]| stats count by src_ip,port | streamstats count as sno by src_ip | where sno < 4 | table src_ip, port,count
Highlighted

Re: Top 10 IP along w/ top 4 ports

SplunkTrust
SplunkTrust

I updated the answer based on your example. Let me know if that works.

0 Karma
Highlighted

Re: Top 10 IP along w/ top 4 ports

Contributor

So close! That got us the correct X line with the IP's at the bottom but the graph stacks did not list the used port numbers or limit the number of IP's according to the top 10 search.
This search (below) does stack the ports properly and it does provide a legend. Does not list or limit IP's though. Check it out: index=firewall host=ofw.Corp.COM | stats count by srcip,destport | chart sum(count) by srcip destport
here is a link to the article: http://answers.splunk.com/answers/46246/how-do-i-create-a-firewall-report-with-both-destination-ip-a...
Thanks for your help.

0 Karma
Highlighted

Re: Top 10 IP along w/ top 4 ports

Contributor

Hey I think I found it! Check it out:
index=firewall host=ofw.Corp.COM NOT ran.dom.ip.add [search index=firewall host=ofw.Corp.COM | top 15 srcip | table srcip] | stats count by srcip,destport | chart sum(count) by srcip destport

0 Karma