Splunk Search

Top command based on lookup result

bugnet
Path Finder

The following search will give the count of attacks by attacker_IP and destination branch.

index=waf   Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort -count

Now I just want to show the top 10 attacker IPs per Branch based on their high count.

Help is always appreciated.

Thanks!!

Tags (1)
0 Karma

HiroshiSatoh
Champion

try this!

 index=waf   Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort branch .- count|dedup 10 branch 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think the top command will do that. Try this

index=waf   Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort -count | top limit=10 count by branch
---
If this reply helps you, an upvote would be appreciated.

bugnet
Path Finder

Not working for me.

0 Karma