Solved: How to find SSH session in past month

disasters · ‎01-20-2021

I want to know that there are or not SSH sessions which is in last 5 minutes in past 1 month. (except today)

- I want to compare srcip and dstip

- Time range picker (last 5 minutes)

index=fw AND dstport=22 NOT [ search index=fw AND dstport=22 earliest=-1mon@mon latest=-1day@day | fields + srcip, dstip]
| dedup srcip, dstip
| table _time, srcip, dstip, dstport, protocal, action, hostname

this is not working correctly.

manjunathmeti · ‎01-20-2021

Hi @disasters

Try this query,

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

disasters · ‎01-21-2021

It works.

Could you explain purpose of stats, format?

manjunathmeti · ‎01-21-2021

stats is used as dedup to remove duplicate records and format is used to convert results into a single linear search string.

More on format here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults#Ch...

manjunathmeti · ‎01-20-2021

Hi @disasters

Try this query,

If this reply helps you, an upvote/like would be appreciated.

How to find SSH session in past month

subsearch

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability