I have a set of sources that access multiple destinations(IPs)
New to Splunk
The query has to be set in such a way that an alert is triggered when any user accesses more than 5 distinct destinations within 30 sec window.
So far I am able to get distinct destinations accessed by each source by using:
index= ....... | stats values(destnIP) by sourceIP
The challenge that I am facing is :
1.For 'x' number of destnIP for every sourceIP, new column should be created which reflects the number 'x' as in the count of destnIP
2. Unable to use commands- count, eval, etc after stats
... View more