Let assume the following,
From the above firewall log, I need to investigate the following :
In order for me to do this, I guess I need to count the number of Destination IP based on Source IPs. I want to create splunk search critiria to accomplish this.
I guess process pattern blow :
IP SRC=10.1.1.7, DEST=211.123.23.4, IP SRC=10.1.1.7, DEST=121.33.13.7, IP SRC=10.1.1.7, DEST=21.13.32.3, IP SRC=10.1.1.7, DEST=172.23.185.5, IP SRC=10.1.1.7, DEST=231.53.2.82, IP SRC=10.1.1.7, DEST=23.35.78.2, IP SRC=10.1.1.7, DEST=221.73.5.123, IP SRC=10.1.1.7, DEST=81.33.98.44, IP SRC=10.1.1.7, DEST=78.19.21.25, IP SRC=10.1.1.7, DEST=62.53.76.89, IP SRC=10.1.1.7, DEST=2341.3.2.125,
To get results like :
10.2.7.32 87 Connections 10.1.1.7 11 Connections
etc..
Seems to me that simple:
... | stats distinct_count(DEST) by SRC
or
... | stats count by DEST,SRC | stats count by SRC
would do it.