Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Two time condition searches – please help.

PiotrAp
Path Finder
‎12-04-2023 07:58 AM

Hi

I’m trying to create two searches and having some problems. I hope somebody could help me with this.

1. 7 or more IDS Alerts from a single IP Address in one minute.

I created something like below, but it doesn’t seem to be working correctly:

index=ids

| streamstats count time_window=1m by src_ip

| where count >=7

| stats values(dest_ip) as "Destination IP" values(attack) as "Attack" values(severity) as "Severity" values(host) as "FW" count by "Source IP"

2. 5 or more hosts in 1h attacked with the same IDS Signature

This seems to be even more complex as it has 3 conditions:

  • 5 hosts
  • 1h
  • The same IPS signature

So, I’m not sure how to even start after failing first one.

Could somebody help me with this please?

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2023 08:12 AM

What is incorrect about the first search?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PiotrAp
Path Finder
‎12-04-2023 08:17 AM

I believe it doesn't show correct results. I mean, sometimes it shows one event in count for source IP, I presume should be min 5. Or I missed something?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...