SPLUNK - Network Filters

From Wiki.IT-Arts.net


Source And Destination IP And Ports

(srcip=10.20.30.* OR srcip=10.20.40.*) AND (dstip=192.168.1.* OR dstip=192.168.2.*) AND dstport=443


Count By SourceIP, Display Table With SourceIP / DestinationIP / Port

dstport=1234 AND dstip=1.2.3.4 | stats count by srcip | sort -count


Count By DestinationPort, Display Table With SourceIP / DestinationIP / DestinationPort / Count

Count By DestinationIP

srcip=10.2.3.* AND dstport=443 | stats count by dstip, dstport | table srcip, dstip, dstport, count


Coutn By DestinationPort

(srcip=10.2.3.* OR srcip=10.2.4.*) AND dstport=443 | stats count by dstip, dstport | table srcip, dstip, dstport, count


Count By Action

dstip=10.2.3.* OR dstip=10.2.4.* AND dstport=1234 | stats count by action, srcip, dstip, dstport | table srcip, dstip, dstport, action, count
Retrieved from "https://wiki.it-arts.net/index.php?title=SPLUNK_-_Network_Filters&oldid=433"