Splunk Search

How to edit my search to find different ports used per IP and their count?

lakromani
Builder

I have am looking data from out firewall.
There I have a search that gives me a list of all allowed traffic to all IP in our c range.

I would like to get a list of hits per port per IP like this:

dest_ip        port     hits
75.75.75.1      80      50
                  443      200
75.75.75.22    21       354
                  80        65
                  8080    125
75.75.75.65    80       45
                  443      2

If I do like this:

my search  |  stats values(dest_port) dc(dest_port) by dest_ip

I get the count of different type of ports, not number of hits per ports like this:

dest_ip        port     hits
75.75.75.1      80      2
                  443
75.75.75.22    21       3
                  80
                  8080
75.75.75.65    80       2
                  443

This:

my search  |  stats values(dest_port) count(dest_port) by dest_ip

seem to give me the total hits for all packets per host, not per port per ip

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The expected output requires two stats commands, like this

 my search | stats  count by dest_ip,dest_port | stats list(dest_port) as port list(count) as hits by dest_ip

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The expected output requires two stats commands, like this

 my search | stats  count by dest_ip,dest_port | stats list(dest_port) as port list(count) as hits by dest_ip

lakromani
Builder

This was just what I needed. Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...