- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for the same IP in multiple sourcety...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
I am looking for a way to search through 2 sourcetypes:
sourcetype=bro_http AND sourcetype=McAfee
to find any indications of a source IP on my network that shows up in those sourcetypes within a certain time frame, let's say an hour. They both have a common field name of src_ip.
The purpose is to attempt to try and detect a possible incident that may have occurred and see any correlation that may exist.
Any ideas would be appreciated.
Thanks,
Janice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After posting above, I think I realized what you want: Has an IP showed up in both sourcetypes within an hour of each other. I think something like this will work:
sourcetype=bro_http OR sourcetype=McAfee|
bucket _time span=1m |
stats count by src_ip sourcetype _time | sort _time |
streamstats current=f last(_time) as prev_time, last(sourcetype) as prev_sourcetype by src_ip |
where prev_sourcetype!=sourcetype and _time-prev_time<3600 |
eval prev_time=strftime(prev_time,"%Y-%m-%d %T")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After posting above, I think I realized what you want: Has an IP showed up in both sourcetypes within an hour of each other. I think something like this will work:
sourcetype=bro_http OR sourcetype=McAfee|
bucket _time span=1m |
stats count by src_ip sourcetype _time | sort _time |
streamstats current=f last(_time) as prev_time, last(sourcetype) as prev_sourcetype by src_ip |
where prev_sourcetype!=sourcetype and _time-prev_time<3600 |
eval prev_time=strftime(prev_time,"%Y-%m-%d %T")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for your help. All of the searches worked, but this one gave me the best view of what I was trying to accomplish. I will try to build upon it from there to include other sourcetypes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi janiceb,
This search will give you all related events for src_ip values that appear in both sourcetypes given a particular search time range:
src_ip=* sourcetype=bro_http OR sourcetype=McAfee | eventstats dc(sourcetype) AS sourcetype_count by src_ip | where sourcetype_count > 1
Please let me know if this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your assistance. I wasn't able to get this to work for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=* sourcetype=bro_http OR sourcetype=McAfee src_ip=* | chart count over src_ip by sourcetype | where bro_http>0 AND McAfee>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sundareshr. Thanks for your help. This search worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=bro_http OR sourcetype=McAfee |
chart count over src_ip by sourcetype |
where McAfee>0 and bro_http>0
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
