Hi, another newbie question here. I am analyzing firewall logs in this format: Apr 4 22:03:18 10.20.10.1 Apr 4 22:05:47 X300 X300/FW_Activity: Info X300 type=FWD|proto=UDP|srcIF=p6|srcIP=174.61.183.230|srcPort=55555|srcMAC=66:66:01:58:04:18|dstIP=207.115.88.202|dstPort=55555|dstService=|dstIF=|rule=BLOCKALL|info=Block by Rule|srcNAT=0.0.0.0|dstNAT=0.0.0.0|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user= I want to find the top 100 srcIPs BY how many # of unique dstPort the attempted to access, so I can find people who obviously portscanned my network. something like "BLOCKALL | top 100 srcIP BY uniq dstPort How can I find top srcIP by # of unique dstPort ? Thank you! ... View more

Hi there, new to splunk. I have some records that take two different forms (both denote ssh login failed). I want to make a chart of the top offending remote IP addresses, Can I extract the IP in the same query from these strings even though they have a different number of words preceding it? Mar 27 19:45:22 10.20.10.160 Mar 27 19:45:22 monitor-demo sshd[26449]: Failed password for root from 116.10.191.209 port 2024 ssh2 Mar 27 19:45:22 10.20.10.160 Mar 27 19:45:22 monitor-demo sshd[26447]: Failed password for invalid user admin from 116.10.191.209 port 2016 ssh2 ... View more