Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

sub-search and destIP foreach srcIP

Gilgalidd
Path Finder
‎08-12-2013 05:11 AM

Hello,

I would like to obtain a complete list of all connection.

for exemple : 

SRC         | DST         |PORT
a.a.a.a     | z.z.z.z     | tcp 22
            | x.x.x.x     | tcp 8080
b.b.b.b     | x.x.x.x     | tcp 80
...

For that, I've made two search, one for list all src IP and the second for the dst IP :

source="toto.log"
  | rex max_match=100 "\binside:(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
  | stats values(ip) as ip_list


source="toto.log" inside:X.X.X.X
  | rex max_match=100 "\boutside:(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
  | stats values(ip) as ip_list

But I don't know how do a sub-search to have a result like I've explain.

My log look like:

Aug  1 00:00:09 x.x.x.x %FWSM-4-106023: Deny udp src inside:x.x.x.x/50464 dst outside:x.x.x.x/53 by access-group "inside_access_in" [0x0, 0x0]

Can I do what I want ? If yes, how ? And Is it the best way to obtain the result ?

Thanks for reading.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-12-2013 07:39 AM

Assuming that you have extracted the protocol, src_ip, dst_ip and dst_port as fields (either through conf files or with rex) you can do this by concatenating the destination fields together;

...| eval destination = dst_ip . " " . protocol . " " . dst_port 
| stats values(destination) by src_ip

The function values give the distinct values for a field. If using list you get all of them, which may include duplicates.

/K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-12-2013 07:39 AM

Assuming that you have extracted the protocol, src_ip, dst_ip and dst_port as fields (either through conf files or with rex) you can do this by concatenating the destination fields together;

...| eval destination = dst_ip . " " . protocol . " " . dst_port 
| stats values(destination) by src_ip

The function values give the distinct values for a field. If using list you get all of them, which may include duplicates.

/K

Reply
Solved! Jump to solution

Gilgalidd
Path Finder
‎08-13-2013 07:32 AM

Thanks a lot for your help !

source="toto.log"
  | rex max_match=100 "\bsrc (?<Sint>\w{1,99}):(?<Sip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/(?<Sport>\d{1,5})\b"
  | rex max_match=100 "\bdst (?<Dint>\w{1,99}):(?<Dip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\/(?<Dport>\d{1,5})\b"
  | eval src=Sint .":".Sip."/".Sport 
  | eval dst=Dint .":".Dip."/".Dport
  | stats values(src) by dst

give me a nice result

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-13-2013 01:26 AM

You'll need to extract the relevant portions of the event into so-called 'fields'. you can do that with rex as part of a search query (which you have already done), or put (more or less) the same logic into config files, so that the fields are automatically extracted.

Start at this page, and follow some of the links to understand how that is performed;

http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldstosearch

Reply
Solved! Jump to solution

Gilgalidd
Path Finder
‎08-13-2013 01:12 AM

Thanks for your reply, but i don't understand how use this with my log. Can you give me more information to get protocol, port and other fields ?

0 Karma
Reply
Solved! Jump to solution

antlefebvre
Communicator
‎08-12-2013 06:08 AM

Create field extractions instead of doing a rex in search. Then you can do a search line this:

source="toto.log" | stats list(dstip),list(dstport) by srcip
0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-12-2013 09:15 AM

oops, I might have been a bit too quick there. According to docs lists will be sorted by the order in which they are returned. However making such a list is just like a table. Sorry for my confusing things.

0 Karma
Reply
Solved! Jump to solution

antlefebvre
Communicator
‎08-12-2013 08:44 AM

Thank you much. I was unaware that list sorted independently.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-12-2013 07:40 AM

With this approach, there is no connection between the list of IP's and the list of ports. They will be sorted independently.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...