Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

src_ip, with all dest_ips and dest_ports

mcbradford
Contributor
‎10-06-2011 01:35 PM

The following search is not giving me what I want..

sourcetype="sidewinder" action="blocked" direction="internal" | top 100 src_ip, dest_port, dest_ip

What I really want is the top src_ip, and then all the destination ip(s) associated with the src_ip. Better yet, with the dest_port.

So I would like for it to look something like this...

src_ip                dest_ip            dest_port      count
122.22.15.51          58.25.66.95        53             200
                      95.55.41.55        443            178
                      85.99.55.32        1935           87

125.55.98.52          128.22.19.23       443            925
                      125.15.15.89       53             839
Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 12:14 AM 
sourcetype=sidewinder action=blocked direction=internal | stats count,values(dest_ip) by src_ip | sort - count | head 100

and if you want the port too:

sourcetype=sidewinder action=blocked direction=internal | eval dest_ip_port=dest_ip.":".dest_port | count,values(dest_ip_port) by src_ip | sort - count | head 100
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 06:40 AM

stats count

0 Karma
Reply

goringop
Explorer
‎08-05-2020 06:34 AM

@gkanapathy 

I know the thread is very old but what if I want to add another Column with total counts of events for each src_ip

0 Karma
Reply

mcbradford
Contributor
‎10-07-2011 04:40 AM

Search operation 'count' is unknown.

0 Karma
Reply

Ayn
Legend
‎10-07-2011 12:12 AM

Use a subsearch to get the source IP first, then get the top dest_ip/dest_port pairs:

* [
   search sourcetype="sidewinder" action="blocked" direction="internal"
   | top 1 src_ip
   | fields sourcetype action direction src_ip
  ]
| top 100 dest_ip,dest_port
0 Karma
Reply

mcbradford
Contributor
‎10-07-2011 04:39 AM

And if I want the source IP displayed in the results?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...