×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
MrSuperSeven
New Member
Member since: ‎08-26-2024
‎08-26-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-26-2024
View All

Re: How can i filter out source IP addresses, base...

by in Splunk Search
‎08-26-2024 12:17 PM
‎08-26-2024 12:17 PM
Thanks for reponse. Ill get into tomorrow. More info. Its all the one source in splunk (1 x syslog spanning 30 days) My search = "ACCESS BLOCK" My results are many rows of = XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.81:18837" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter" host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.87:6139" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter" host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel I then want to seach again but remove every line that has src="45.148.10.81:18837" OR src="45.148.10.87:6139" OR (the next) OR (the next) OR (and so on for 3000+ IP addresses) Thus giving me a data set of "known good traffic"     ... View more

How can i filter out source IP addresses, based on...

by in Splunk Search
‎08-26-2024 02:08 AM
‎08-26-2024 02:08 AM
HI, I have a customer using splunk for just syslog.  There has recently been a ddos attack, we are looking to report on how much traffic came from the known ddos hosts. In the syslog the router has flagged the known IP's as > msg="torproject.org:Anonymizers, SSI:N" note="ACCESS BLOCK" We can search for this fine, however there is a preceding entry for the sending IP address that is in the syslog where the router has forwarded this from firewall to its ip address check phase.  We are looking to get total rows of all traffic from ddos hosts So we search for "torproject" we then want to search again for all ip's that appeared in that first search. Then extract from that search every "src="103.76.173.203:7627" then search for all those Any ideas please? End goal = how much traffic was from ddos hosts and how much wasnt (as a rough %) Thanks in advance ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-26-2024 04:37 PM