Splunk Search

How can I count the total IDS alerts per host within subnet?

digital_alchemy
Path Finder

I would like to create a search to show the number of IDS alerts per host. The problem I'm having is that I'm unable to combine the count where a host may trigger an alert as both the destination IP and the source IP.

What I would like to be able to do is combine these two searches into one that will calculate the total count of alerts for all hosts within my subnet whether they are the src or dest IP.

index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 | stats count by src

index=MyIDS sourcetype="suricata:alert_fast" dest=MySubnet.0.0/16 | stats count by dest

Thanks.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

This should do the trick

 index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 OR dest=MySubnet.0.0/16 |eval Org_ip=coalesce(src, dest) | stats count by Org_ip 

View solution in original post

somesoni2
Revered Legend

This should do the trick

 index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 OR dest=MySubnet.0.0/16 |eval Org_ip=coalesce(src, dest) | stats count by Org_ip 

digital_alchemy
Path Finder

Thanks this put my on the correct path. I needed to filter out the IPs that were not in my organization, but that was easy enough.

Working search:

index=MyIDS sourcetype="suricata:alert_fast" | eval Org_ip=coalesce(src,dest) | search Org_ip=MySubnet.0.0/16 | stats count by Org_ip
0 Karma

digital_alchemy
Path Finder

This is logically what I would like to do but this search will not work.

    index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 OR dest=MySubnet.0.0/16 |rename src AS Org_ip, dest AS Org_ip | stats count by Org_ip | where Org_ip=MySubnet.0.0/16
0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...