src_ip, with all dest_ips and dest_ports

mcbradford · ‎10-06-2011

The following search is not giving me what I want..

sourcetype="sidewinder" action="blocked" direction="internal" | top 100 src_ip, dest_port, dest_ip

What I really want is the top src_ip, and then all the destination ip(s) associated with the src_ip. Better yet, with the dest_port.

So I would like for it to look something like this...

src_ip                dest_ip            dest_port      count
122.22.15.51          58.25.66.95        53             200
                      95.55.41.55        443            178
                      85.99.55.32        1935           87

125.55.98.52          128.22.19.23       443            925
                      125.15.15.89       53             839

gkanapathy · ‎10-07-2011

sourcetype=sidewinder action=blocked direction=internal | stats count,values(dest_ip) by src_ip | sort - count | head 100

and if you want the port too:

sourcetype=sidewinder action=blocked direction=internal | eval dest_ip_port=dest_ip.":".dest_port | count,values(dest_ip_port) by src_ip | sort - count | head 100

gkanapathy · ‎10-07-2011

stats count

goringop · ‎08-05-2020

@gkanapathy

I know the thread is very old but what if I want to add another Column with total counts of events for each src_ip

mcbradford · ‎10-07-2011

Search operation 'count' is unknown.

Ayn · ‎10-07-2011

Use a subsearch to get the source IP first, then get the top dest_ip/dest_port pairs:

* [
   search sourcetype="sidewinder" action="blocked" direction="internal"
   | top 1 src_ip
   | fields sourcetype action direction src_ip
  ]
| top 100 dest_ip,dest_port

mcbradford · ‎10-07-2011

And if I want the source IP displayed in the results?

src_ip, with all dest_ips and dest_ports

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...