Splunk Search

litte search: all src-ips whitch alled more than 4 dest. in a short timerange

DianaR
New Member

Hi there,
I am new and I expect, that a have only a small Problem.
I want to select all Source-IPs, whitch called more than 4 destinations in a short timerange (maybe 2 Minutes).
Diana

Tags (1)
0 Karma

DianaR
New Member

Thanks a lot.
Sorry, maybe I don't undestand it correct, but I think, this returns a number of events for each destination group by Source.
I expect a summation of all destinations for each source (not the events).

Example: Source 1.1.1.1 called in 2 minutes the destinations 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5
My result should be: 1.1.1.1 4

bw Diana

0 Karma

adigrio
Path Finder

It is showing the number of distinct destinations for each group of 2 minutes for the selected time interval. Maybe renaming the dc(dest) as conns and the use of bar graph were not that inspired. Here is a search with a different visualization that is probably easier to read:

<your search>
| bucket _time span=2m 
| stats dc(dest) as destinations by src _time 
| where destinations > 4
| table _time, src,destinations
| sort -_time

This should return a _time sorted table similar to:

_time                              src                          destinations
-------------------------------------------------------------------------------
2017-12-08 21:14:00 192.168.1.211   13
2017-12-08 21:14:00 192.168.1.212   5
2017-12-08 21:14:00 192.168.1.216   7
2017-12-08 21:14:00 192.168.1.227   34
2017-12-08 21:14:00 192.168.1.35             6
2017-12-08 21:12:00 192.168.1.200   9
2017-12-08 21:12:00 192.168.1.210   14
2017-12-08 21:12:00 192.168.1.211   12
2017-12-08 21:12:00 192.168.1.212   9
2017-12-08 21:12:00 192.168.1.227   15
2017-12-08 21:10:00 192.168.1.200   13
2017-12-08 21:10:00 192.168.1.211   20
2017-12-08 21:10:00 192.168.1.227   14
2017-12-08 21:08:00 192.168.1.200   14
2017-12-08 21:08:00 192.168.1.210   12

This is showing the sources accessing more than 4 destinations for each group of 2 minutes for the selected time interval.

If you also want to see the actual destinations for each source, you can use eventstats and mvcombine:

| bucket _time span=2m 
| eventstats dc(dest) as destinations by src _time 
| where destinations > 4
| table _time, src,dest,destinations
| mvcombine dest
| sort -_time
0 Karma

woodcock
Esteemed Legend

To which answer are you referring?

0 Karma

woodcock
Esteemed Legend

Try this:

| streamstats time_window=120 dc(dest) AS DCdests BY Source-IP
| search DCdests>4
| stats values(Source-IP) AS Source-IPs

damien_chillet
Builder

This is the almost the best solution!

Add a missing "e" to stramstats and replace count with DCdests 😉

woodcock
Esteemed Legend

Mistakes fixed, thank you.

0 Karma

adigrio
Path Finder

You need to use the bucket command:

your_search...  | bucket _time span=2m | stats dc(dest) as conns by src _time | where conns > 4

You need to adjust the source and destination fields accordingly. Here is an example from one of my indexes showing sources (src) that had more than 4 distinct destinations (dest) within a 2 minute bucket for the last 15 minutes. As you can see, you will get stats for each time interval bucket for the entire time interval selected (so for every 2 minutes, you will have a list of hosts with more than 4 distinct destinations):

alt text

0 Karma

DianaR
New Member

I want to get the number of Destinations for each Src-IP.
ThankYou

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...