Splunk Search

Two time condition searches – please help.

PiotrAp
Path Finder

Hi

I’m trying to create two searches and having some problems. I hope somebody could help me with this.

1. 7 or more IDS Alerts from a single IP Address in one minute.

I created something like below, but it doesn’t seem to be working correctly:

index=ids

| streamstats count time_window=1m by src_ip

| where count >=7

| stats values(dest_ip) as "Destination IP" values(attack) as "Attack" values(severity) as "Severity" values(host) as "FW" count by "Source IP"

2. 5 or more hosts in 1h attacked with the same IDS Signature

This seems to be even more complex as it has 3 conditions:

  • 5 hosts
  • 1h
  • The same IPS signature

So, I’m not sure how to even start after failing first one.

Could somebody help me with this please?

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is incorrect about the first search?

---
If this reply helps you, Karma would be appreciated.
0 Karma

PiotrAp
Path Finder

I believe it doesn't show correct results. I mean, sometimes it shows one event in count for source IP, I presume should be min 5. Or I missed something?

Tags (1)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...