Skip to main content
Splunk Lantern

Volume of network traffic from one user

You might want to look at the volume of traffic related to a certain user's network connections when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

While monitoring your network traffic for volume outliers, excessive data from one user catches your eye. You want to investigate that user's activity.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization.

  1. Run the following search:
sourcetype="pan:traffic" (src_ip=<IP address of user> OR dest_ip=<IP address of user>)
| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip
| eval mb_in=round((bytes_in/1024/1024),2)  
| eval mb_out=round((bytes_out/1024/1024),2) 
| eval mb_total=round((bytes_total/1024/1024),2)
| fields - bytes*
| sort - mb_total
| head 10

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="pan:traffic" 

Search only Palo Alto Networks data.

(src_ip=<IP address of user> OR dest_ip=<IP address of user>)

Search for events with the IP address of the user you are investigating as the source or destination.

| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip

Group the events by unique source and destination IP address connections, count the number of times each connection occurred, and show the result in an event_count column. Sum the bytes in, bytes out, and bytes total for each set of events.

| eval mb_in=round((bytes_in/1024/1024),2)  

Convert bytes_in to megabytes, rounded to two decimal places, and display in a column called mb_in.

| fields - bytes*

Remove any field with bytes in the name from the results.

| sort - mb_total

Sort the results so the event with the highest total megabyte count appears first.

| head 10

Limit the results to the top 10.

Result

The results show the top 10 talkers between the user under investigation and other systems. You can investigate the connections and drill further into each of them as needed. 

  • Was this article helpful?