Hi,
I spent last few years with Splunk and now I’m an ELK user. I’d like to know if there is a way to perform a statistical search in ELK.
Let’s say, I have some firewall logs and I’d like to use it to detect a port scan behaviour. Here’s the query I’ll use in Splunk:
index=my_firewall_index
| stats dc(dest_port) as unequal_dest_port by source_ip
| where unequal_dest_port > 50
Could you please provide an ELK equivalent for this search?
Thanks.
Welcome to our community! 
You'd build a visualisation, aggregating on the source_ip field and then running a count metric on the dest_port field. Then add a filter for dest_port > 50
Sounds not that difficult 
I'll try it.
Thanks for the help!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.