Hello Splunkers,
I'm looking to build a search w/ chart that tracks top 10 source IP's in a firewall but also a listing of the actual ports each IP is using. So like a top 10 src_ip and then the top 3 ports (dest_port) that each of the src_ip's is using. Does that make sense?
I can make the top 10 src_ip happen but I'm having trouble w/ adding the top 3 ports on top of that.
I've so far been able to list the total number of ports but not which actual ports the IP's are using the most.
Does that make sense?
Thanks for any assistance.
Hey I think I found it! Check it out:
index=firewall host=ofw.Corp.COM NOT ran.dom.ip.add [search index=firewall host=ofw.Corp.COM | top 15 src_ip | table src_ip] | stats count by src_ip,dest_port | chart sum(count) by src_ip dest_port
So close! That got us the correct X line with the IP's at the bottom but the graph stacks did not list the used port numbers or limit the number of IP's according to the top 10 search.
This search (below) does stack the ports properly and it does provide a legend. Does not list or limit IP's though. Check it out: index=firewall host=ofw.Corp.COM | stats count by src_ip,dest_port | chart sum(count) by src_ip dest_port
here is a link to the article: http://answers.splunk.com/answers/46246/how-do-i-create-a-firewall-report-with-both-destination-ip-a...
Thanks for your help.
The comma. Brilliant. Thank you. Did not think to use that. The result is very close to what I am trying to get visualize and it's the closest I've come to it but I'm essentially trying to get a top 10 for src_ip and then combine it w/ a top 3 for dest_port so I have a bar graph where the X axis lists each IP and on top of each IP (y axis) is a stacked bar/graph indicating each port used and each stack in the bar indicates how many times each port has been used.
Does that make sense?
Thank you very much for your help!
