Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

src_ip, with all dest_ips and dest_ports

mcbradford
Contributor
‎10-06-2011 01:35 PM

The following search is not giving me what I want..

sourcetype="sidewinder" action="blocked" direction="internal" | top 100 src_ip, dest_port, dest_ip

What I really want is the top src_ip, and then all the destination ip(s) associated with the src_ip. Better yet, with the dest_port.

So I would like for it to look something like this...

src_ip                dest_ip            dest_port      count
122.22.15.51          58.25.66.95        53             200
                      95.55.41.55        443            178
                      85.99.55.32        1935           87

125.55.98.52          128.22.19.23       443            925
                      125.15.15.89       53             839
Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 12:14 AM 
sourcetype=sidewinder action=blocked direction=internal | stats count,values(dest_ip) by src_ip | sort - count | head 100

and if you want the port too:

sourcetype=sidewinder action=blocked direction=internal | eval dest_ip_port=dest_ip.":".dest_port | count,values(dest_ip_port) by src_ip | sort - count | head 100
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 06:40 AM

stats count

0 Karma
Reply

goringop
Explorer
‎08-05-2020 06:34 AM

@gkanapathy 

I know the thread is very old but what if I want to add another Column with total counts of events for each src_ip

0 Karma
Reply

mcbradford
Contributor
‎10-07-2011 04:40 AM

Search operation 'count' is unknown.

0 Karma
Reply

Ayn
Legend
‎10-07-2011 12:12 AM

Use a subsearch to get the source IP first, then get the top dest_ip/dest_port pairs:

* [
   search sourcetype="sidewinder" action="blocked" direction="internal"
   | top 1 src_ip
   | fields sourcetype action direction src_ip
  ]
| top 100 dest_ip,dest_port
0 Karma
Reply

mcbradford
Contributor
‎10-07-2011 04:39 AM

And if I want the source IP displayed in the results?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...