Solved: How to search web logs for all destination IPs tha...

ng87 · ‎09-03-2015

So I have web logs 🙂 , weblogs contain source IP, destination IP and other info.
I am trying to write a search that will show me all the destination IP's that only a single source IP has requested.

Example is something like more than 100 source IP's connected to Google's IP, however, only a single IP has connected to hxxp://iambad.com .
Any ideas on how to craft this search? I have been trying using:

| stats count(dest_ip) as DEST by src_ip
| DEST = 1

However, this returns any destination IP that has been visited once PER source IP and not all source IPs.

I hope the above makes sense and you can help

acharlieh · ‎09-03-2015

I think I understand...

<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1

for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list

View solution in original post

acharlieh · ‎09-03-2015

I think I understand...

<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1

for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list

badarsebard · ‎09-03-2015

I'm not sure I understand your example very well, but I can tell you that if you want to view all destination IPs that each source IP has requested you will need to perform a stats command and split by src_ip, (e.g. |stats list(dest_ip) by src_ip). As for the particular function you want, I would recommend checking out list or values first as they are most likely what you want.

How to search web logs for all destination IPs that only a single source IP has requested?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases