SPL: Top Blocked Source IPs from Firewall Logs
SPL For Splunk: Log Management & SIEM Overview · Validated on Splunk Enterprise 9.4
A NOC/SOC staple: which hosts are hammering the firewall? This returns the top 20 blocked source IPs with a count and a 24-hour trend sparkline.
index=firewall action=blocked
| stats count sparkline(count) AS trend by src_ip
| sort -count
| head 20
Reading it
index=firewall action=blocked— narrow to the right index and only denied events. Replaceaction=blockedwith your firewall’s field/value (e.g.dvc_action=deny).stats count sparkline(count) AS trend by src_ip— aggregate per source IP;sparkline()builds the inline trend chart you see in the statistics tab.sort -count | head 20— biggest talkers first, capped at 20.
Make it an alert
Wrap a threshold around it and schedule it:
index=firewall action=blocked
| stats count by src_ip
| where count > 1000
Save as an alert that triggers per result, throttled by src_ip for, say, 30 minutes, so one
noisy scanner doesn’t generate a storm of notifications.