Splunk Search

How can I count the total IDS alerts per host within subnet?

digital_alchemy
Path Finder

I would like to create a search to show the number of IDS alerts per host. The problem I'm having is that I'm unable to combine the count where a host may trigger an alert as both the destination IP and the source IP.

What I would like to be able to do is combine these two searches into one that will calculate the total count of alerts for all hosts within my subnet whether they are the src or dest IP.

index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 | stats count by src

index=MyIDS sourcetype="suricata:alert_fast" dest=MySubnet.0.0/16 | stats count by dest

Thanks.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

This should do the trick

 index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 OR dest=MySubnet.0.0/16 |eval Org_ip=coalesce(src, dest) | stats count by Org_ip 

View solution in original post

somesoni2
Revered Legend

This should do the trick

 index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 OR dest=MySubnet.0.0/16 |eval Org_ip=coalesce(src, dest) | stats count by Org_ip 

digital_alchemy
Path Finder

Thanks this put my on the correct path. I needed to filter out the IPs that were not in my organization, but that was easy enough.

Working search:

index=MyIDS sourcetype="suricata:alert_fast" | eval Org_ip=coalesce(src,dest) | search Org_ip=MySubnet.0.0/16 | stats count by Org_ip
0 Karma

digital_alchemy
Path Finder

This is logically what I would like to do but this search will not work.

    index=MyIDS sourcetype="suricata:alert_fast" src=MySubnet.0.0/16 OR dest=MySubnet.0.0/16 |rename src AS Org_ip, dest AS Org_ip | stats count by Org_ip | where Org_ip=MySubnet.0.0/16
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...