Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

src_ip, with all dest_ips and dest_ports

mcbradford
Contributor
‎10-06-2011 01:35 PM

The following search is not giving me what I want..

sourcetype="sidewinder" action="blocked" direction="internal" | top 100 src_ip, dest_port, dest_ip

What I really want is the top src_ip, and then all the destination ip(s) associated with the src_ip. Better yet, with the dest_port.

So I would like for it to look something like this...

src_ip                dest_ip            dest_port      count
122.22.15.51          58.25.66.95        53             200
                      95.55.41.55        443            178
                      85.99.55.32        1935           87

125.55.98.52          128.22.19.23       443            925
                      125.15.15.89       53             839
Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 12:14 AM 
sourcetype=sidewinder action=blocked direction=internal | stats count,values(dest_ip) by src_ip | sort - count | head 100

and if you want the port too:

sourcetype=sidewinder action=blocked direction=internal | eval dest_ip_port=dest_ip.":".dest_port | count,values(dest_ip_port) by src_ip | sort - count | head 100
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 06:40 AM

stats count

0 Karma
Reply

goringop
Explorer
‎08-05-2020 06:34 AM

@gkanapathy 

I know the thread is very old but what if I want to add another Column with total counts of events for each src_ip

0 Karma
Reply

mcbradford
Contributor
‎10-07-2011 04:40 AM

Search operation 'count' is unknown.

0 Karma
Reply

Ayn
Legend
‎10-07-2011 12:12 AM

Use a subsearch to get the source IP first, then get the top dest_ip/dest_port pairs:

* [
   search sourcetype="sidewinder" action="blocked" direction="internal"
   | top 1 src_ip
   | fields sourcetype action direction src_ip
  ]
| top 100 dest_ip,dest_port
0 Karma
Reply

mcbradford
Contributor
‎10-07-2011 04:39 AM

And if I want the source IP displayed in the results?

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...