Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

count by percentage

stwong
Communicator
‎06-17-2014 12:54 AM

Hi, we're trying to find out windows XP users with some rules:

  1. if mod=syn, get client ip (cli)
  2. if mod=syn+ack, get server ip (server)
  3. For each ip, regard as Windows XP if over 80% of OS shows os="Windows XP"

Logs look like following:

[2014/05/19 10:40:01] mod=syn|cli=192.168.133.251/36360|srv=192.168.188.98/80|subj=cli|os=Windows NT kernel 5.x|dist=5|params=generic fuzzy|raw_sig=4:59+5:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0
[2014/05/19 10:35:28] mod=syn+ack|cli=192.168.94.71/49771|srv=192.168.11.122/80|subj=srv|os=Windows 7 or 8|dist=3|params=none|raw_sig=4:125+3:0:1460:8192,8:mss,nop,ws,sok,ts:df,id+:0

I use following search which seems to be a bit clumsy (I'm newbie to Splunk) and I'm finding the way to verify it:

search sourcetype=p0f ( mod=syn ) | rename cli AS ipaddr | fields mod, os, ipaddr 
 | append [ search sourcetype=p0f (mod="syn+ack" ) | rename srv AS ipaddr | fields mod, os, ipaddr ] 
  |  rex mode=sed field=ipaddr "s/\/.*//g" 
  | stats count, count(eval(match(os,"Windows XP"))) as XP, count(eval(NOT match(os, "Windows XP"))) as nonXP by ipaddr 
  | eval matched = XP/count * 100 | search matched >= 80 | fields ipaddr ]

I wonder if this can be achieved more efficiently. Would anyone please help? Thanks a lot.

Rgds

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2014 07:27 AM

Try this

sourcetype=p0f mode=syn OR mod="syn+ack" | eval ipaddr=if(mod="syn+ack",srv,cli) |  rex mode=sed field=ipaddr "s/\/.*//g" | eventstats count as Total count(eval(match(os,"Windows XP"))) as XP by ipaddr | eval os=if(XP > 0.8*Total,"Windows XP",os) | stats count by ipaddr os
0 Karma
Reply

stwong
Communicator
‎06-19-2014 06:21 PM

That works for me. Thank you very much.

0 Karma
Reply

stwong
Communicator
‎06-18-2014 08:26 PM

We need to count cli of mod=syn and srv of mod=syn+ack, but mod=* have both cli/srv and thus we need to select only one of them depends on mod's value. Is this okay?

Thanks a lot.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2014 08:40 AM

You can get rid of the append like this:

sourcetype=p0f mode=syn OR mod="syn+ack" | rename cli as ipaddr srv as ipaddr |  rex mode=sed field=ipaddr "s/\/.*//g"
| stats count count(eval(match(os,"Windows XP"))) as XP by ipaddr 
| eval matched = XP/count * 100 | search matched >= 80 | fields ipaddr

I've also dropped an unused field off the stats.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-19-2014 12:32 PM

Ah. In that case, replace the rename with eval ipaddr = if(mod="syn+ack", srv, cli).

0 Karma
Reply

stwong
Communicator
‎06-19-2014 02:14 AM

Thanks. We interested in cli of mod=syn and srv of mod="syn+ack", while cli and srv appears in mod=syn and mod=syn+ack. Seems the modification will stats cli and srv of all entries?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...