How to create a search to find the same IP hitting...

sbhuie · ‎06-21-2019

Having trouble creating a search that will determine if any single unique IP hits a defined URL 5 or more times within a 30 minute time frame. I've been trying something like this...

index=*index* sourcetype=*sourcetype* URL="*uriPath*"
| stats dc(*uriPath*) as URL by *srcIP*
| where URL>5

spayneort · ‎06-24-2019

If it is a single uriPath you are looking at, you can do this:

index="<index>" sourcetype="<sourcetype>" URL="<uriPath>" | stats count by srcIP | search count>5

niketn · ‎06-23-2019

@sbhuie try the following

 index=<index> sourcetype=<sourcetype> URL="<uriPath>"
 | bin _time span=30min
 | stats dc(URL) as URL by _time srcIP
 | where URL>5
 | xyseries _time srcIP URL

Following is run anywhere search example based on Splunk's _internal index

index=_internal sourcetype=splunkd_ui_access
| bin _time span=30min
| stats dc(uri) as Hit by _time  clientip
| search Hit>5
| xyseries _time clientip Hit

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to create a search to find the same IP hitting specific URL (x number of times)?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...