- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- What is the best way to track a specific IP addres...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are looking to track a specific IP for traffic to let us know when traffic stops flowing and diverts to another location. Need to know the best way of doing this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am assuming you have some event logging connected to the ip in question-something like userlogon ip=d.d.d.d
Now what I suggest is :
First get all events which captures traffic flow on this ip using something like the above event text
Next, your search | table _time,ip
next, use the previous function to calculate the _time of the previous event
next, calculate the time difference between the current row value of _time and previous _time (both of which will now be in the same row, so all rows barring the first event will have a _time and a previous _time in the same row)
next, calculate the time difference between _time and previous _time
next, establish a criteria , something like if difference>10 mins, traffic is stopped/diverted
We can help more if you can give some original query pertaining to the raw event and ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All we have in the search window now is just the IP address. Nothing fancy at all. Using trigger conditions trigger actions to try to produce what we are looking for and that is not really what we are looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You need to be a bit more specific, 'Using trigger conditions trigger actions to try to produce what we are looking for and that is not really what we are looking for.'
So what is the condition that identifies as an ip not being used and trafic being diverted to another location?
Is it something like
1st event ip d.d.d.d
2nd event ip d.d.d.d
3rd event ip x.x.x.x
and you want to capture the 3rd event / timestamp as the time when traffic got diverted?
You really need to provide an exact sample of how your events look like in Spunk at the moment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we see no traffic to x.x.x.x for 15 minutes thenwe want a trigger to send a message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am assuming you have some event logging connected to the ip in question-something like userlogon ip=d.d.d.d
Now what I suggest is :
First get all events which captures traffic flow on this ip using something like the above event text
Next, your search | table _time,ip
next, use the previous function to calculate the _time of the previous event
next, calculate the time difference between the current row value of _time and previous _time (both of which will now be in the same row, so all rows barring the first event will have a _time and a previous _time in the same row)
next, calculate the time difference between _time and previous _time
next, establish a criteria , something like if difference>10 mins, traffic is stopped/diverted
We can help more if you can give some original query pertaining to the raw event and ip
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
