Splunk Search

Top command based on lookup result

bugnet
Path Finder

The following search will give the count of attacks by attacker_IP and destination branch.

index=waf   Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort -count

Now I just want to show the top 10 attacker IPs per Branch based on their high count.

Help is always appreciated.

Thanks!!

Tags (1)
0 Karma

HiroshiSatoh
Champion

try this!

 index=waf   Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort branch .- count|dedup 10 branch 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think the top command will do that. Try this

index=waf   Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort -count | top limit=10 count by branch
---
If this reply helps you, Karma would be appreciated.

bugnet
Path Finder

Not working for me.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...