×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
zeeshantayyab
Loves-to-Learn
Member since: ‎04-27-2022
‎04-28-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-27-2022
Activity Feed
View All

Re: Splunk Query about Port Scanning attack attemp...

by SplunkTrust in Splunk Search
‎04-28-2022 02:57 AM
‎04-28-2022 02:57 AM
Hi @zeeshantayyab, you could add also the destination_ip to the search using values: index="firewall" | stats dc(destination_port) as pcount values(destination_ip) AS destination_ip values(destination_port) AS destination_port by source_ip | where pcount > 500 but in this way you have a few readable dashboard, my hint is to create a simple main search index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500 then you can configure a drilldown in another panel of the same dashboard or in another dashboard where there's the details of your connections: index="firewall" source_ip=$source_ip$ | stats values(destination_port) AS destination_port by destination_ip if you need help in drilldown configuration you can see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/) how to do this. Ciao. Giuseppe ... View more

Re: Search to display port scan attempts

by in Splunk Dev
‎04-27-2022 11:58 PM
‎04-27-2022 11:58 PM
Hi, Why this query is not working in my environment. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-28-2022 06:54 AM