Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using nested tstats to detect foreign ip and then search in traffic for connections between foreign ip and local

el666nino
Loves-to-Learn Everything
‎05-09-2022 04:33 AM

hello , i want to detect foreign ip at first step, then search in traffic for connections between foreign ip and other local ips.

 

| tstats `security_content_summariesonly` values(All_Traffic.src_ip) AS src values(All_Traffic.dest_ip) AS dest values(All_Traffic.dest_ip_Country) AS dest_country values(All_Traffic.src_ip_Country) AS src_country from datamodel=Network_Traffic  by _time
| eval attacker=if(src_country="","$src$","$dest$")
| search 
    [ 
    | tstats count from datamodel=Network_Traffic WHERE (All_Traffic.src_ip=attacker OR All_Traffic.dest_ip=attacker)  by _time
    ]

 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...