Re: litte search: all src-ips whitch alled more th...

DianaR · ‎12-07-2017

Hi there,
I am new and I expect, that a have only a small Problem.
I want to select all Source-IPs, whitch called more than 4 destinations in a short timerange (maybe 2 Minutes).
Diana

DianaR · ‎12-08-2017

Thanks a lot.
Sorry, maybe I don't undestand it correct, but I think, this returns a number of events for each destination group by Source.
I expect a summation of all destinations for each source (not the events).

Example: Source 1.1.1.1 called in 2 minutes the destinations 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5
My result should be: 1.1.1.1 4

bw Diana

adigrio · ‎12-08-2017

It is showing the number of distinct destinations for each group of 2 minutes for the selected time interval. Maybe renaming the dc(dest) as conns and the use of bar graph were not that inspired. Here is a search with a different visualization that is probably easier to read:

<your search>
| bucket _time span=2m 
| stats dc(dest) as destinations by src _time 
| where destinations > 4
| table _time, src,destinations
| sort -_time

This should return a _time sorted table similar to:

_time                              src                          destinations
-------------------------------------------------------------------------------
2017-12-08 21:14:00 192.168.1.211   13
2017-12-08 21:14:00 192.168.1.212   5
2017-12-08 21:14:00 192.168.1.216   7
2017-12-08 21:14:00 192.168.1.227   34
2017-12-08 21:14:00 192.168.1.35             6
2017-12-08 21:12:00 192.168.1.200   9
2017-12-08 21:12:00 192.168.1.210   14
2017-12-08 21:12:00 192.168.1.211   12
2017-12-08 21:12:00 192.168.1.212   9
2017-12-08 21:12:00 192.168.1.227   15
2017-12-08 21:10:00 192.168.1.200   13
2017-12-08 21:10:00 192.168.1.211   20
2017-12-08 21:10:00 192.168.1.227   14
2017-12-08 21:08:00 192.168.1.200   14
2017-12-08 21:08:00 192.168.1.210   12

This is showing the sources accessing more than 4 destinations for each group of 2 minutes for the selected time interval.

If you also want to see the actual destinations for each source, you can use eventstats and mvcombine:

| bucket _time span=2m 
| eventstats dc(dest) as destinations by src _time 
| where destinations > 4
| table _time, src,dest,destinations
| mvcombine dest
| sort -_time

woodcock · ‎12-08-2017

To which answer are you referring?

woodcock · ‎12-07-2017

Try this:

| streamstats time_window=120 dc(dest) AS DCdests BY Source-IP
| search DCdests>4
| stats values(Source-IP) AS Source-IPs

damien_chillet · ‎12-07-2017

This is the almost the best solution!

Add a missing "e" to stramstats and replace count with DCdests 😉

woodcock · ‎12-07-2017

Mistakes fixed, thank you.

adigrio · ‎12-07-2017

You need to use the bucket command:

your_search...  | bucket _time span=2m | stats dc(dest) as conns by src _time | where conns > 4

You need to adjust the source and destination fields accordingly. Here is an example from one of my indexes showing sources (src) that had more than 4 distinct destinations (dest) within a 2 minute bucket for the last 15 minutes. As you can see, you will get stats for each time interval bucket for the entire time interval selected (so for every 2 minutes, you will have a list of hosts with more than 4 distinct destinations):

DianaR · ‎12-07-2017

I want to get the number of Destinations for each Src-IP.
ThankYou

litte search: all src-ips whitch alled more than 4 dest. in a short timerange

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?