Solved: Re: Unique Port Count Per IP

ThisIsTom · ‎06-11-2013

I'm trying to find the number of unique ports accessed by IP's, by count. i.e. IP 8.8.8.8 connected to 5 unique ports. As of right now I am able to see the unique ports connected to by the IP address with the below command.

sourcetype="source_traffic" | stats values(src_port) by dst_ip

Is there a way to count those unique ports and display only that number? I have also tried:

sourcetype="source_traffic" dst_ip="x.x.x.x" | stats count values(src_port) by dst_ip

This one appears to the show a higher count than displayed port numbers.

TIA for any help!

theouhuios · ‎06-11-2013

I guess you can do something like this

stats dc(src_port) by dst_ip

View solution in original post

theouhuios · ‎06-11-2013

I guess you can do something like this

stats dc(src_port) by dst_ip

lbogle · ‎05-29-2014

I'm actually looking for something similar however not to find the count of ports but a listing of the actual ports that IP is using. So like a top 10 src_ip and then the top 3 ports that each of the src_ip's is using. Does that make sense?

ThisIsTom · ‎06-11-2013

Appreciate the quick response! It was on the money.

sourcetype="source_traffic" | stats dc(src_port) by dst_ip

Unique Port Count Per IP

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!