https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406489#M4725 <P>You might be able to do this by re-stats-ing the stats (lol) and counting by the sum of your bytes. </P> <P>I think you need to mildly rework your actual stats, though, since you want it where the destination is the same (e.g. <CODE>by dest</CODE> as part of the stats). We also don't need the source in there, and having it in there might complicate things. Also I don't see where you are doing the _time in your <CODE>by</CODE> clause either, so I'm going to assume that's just a copy/paste oversight. So our new stats is...</P> <PRE><CODE>index="abc" | bucket _time span=30m | stats sum(bytes) as total_bytes by dest, _time </CODE></PRE> <P>You should then have results that are _time (in 30 minute chunks), dest, and total_bytes.</P> <P>Now we want to count these results, looking for the same dest and same total_bytes.</P> <PRE><CODE>index="abc" | bucket _time span=30m | stats sum(bytes) as total_bytes by dest, _time | stats count by dest, total_bytes </CODE></PRE> <P>So that should give you a consolidated list of how many times total_bytes occurs by dest over the entire time period. One final piece is to search that result for where is greater than 47. Or equal to 48. Or larger than 5, whatever, you'll easily see how to make that happen... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <PRE><CODE>index="abc" | bucket _time span=30m | stats sum(bytes) as total_bytes by dest, _time | stats count by dest, total_bytes | search count&gt;47 </CODE></PRE> <P>Do those, step by step so that you can a) modify it a bit if I got a field name wrong or something, and b) so you understand each piece. That way if you have a similar problem you should be able to handle it yourself!</P> <P>Happy Splunking,<BR /> Rich</P> Tue, 29 Sep 2020 22:13:00 GMT Richfez 2020-09-29T22:13:00Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406488#M4724 <P>Hi, </P> <P>I'm trying to find/create a splunk query for the following. </P> <P>My log is something like below: </P> <P><STRONG><EM>time=2018-10-26 06:09:21 UTC source=1.2.3.4 dest=5.6.7.8 bytes=100</EM></STRONG></P> <P>I'm aggregating the bytes something like below for 30min interval:</P> <P><STRONG><EM>index="abc" | bucket _time span=30m | stats values(source), values(dest), sum(bytes) as total_bytes</EM></STRONG></P> <P>If there are some source hosts which are sending to destination with fixed a data sizes (i.e, total_bytes) for every 30min and for last 1 day, then i would like to know those sources using splunk query.</P> <P>Basically, following conditions should exists: </P> <P>a) bytes are same. (total_bytes for the current bucket span and previous should be identical)<BR /> b) destination is same<BR /> c) time span bucket count 48 (meaning , 30min span for last 24 hours. 24*2 = 48). </P> <P>Could you please throw some light on creating the query for the above. I really appreciate your help this regard. </P> <P>Thanks,<BR /> Mahesh</P> Tue, 29 Sep 2020 22:09:06 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406488#M4724 mahe90 2020-09-29T22:09:06Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406489#M4725 <P>You might be able to do this by re-stats-ing the stats (lol) and counting by the sum of your bytes. </P> <P>I think you need to mildly rework your actual stats, though, since you want it where the destination is the same (e.g. <CODE>by dest</CODE> as part of the stats). We also don't need the source in there, and having it in there might complicate things. Also I don't see where you are doing the _time in your <CODE>by</CODE> clause either, so I'm going to assume that's just a copy/paste oversight. So our new stats is...</P> <PRE><CODE>index="abc" | bucket _time span=30m | stats sum(bytes) as total_bytes by dest, _time </CODE></PRE> <P>You should then have results that are _time (in 30 minute chunks), dest, and total_bytes.</P> <P>Now we want to count these results, looking for the same dest and same total_bytes.</P> <PRE><CODE>index="abc" | bucket _time span=30m | stats sum(bytes) as total_bytes by dest, _time | stats count by dest, total_bytes </CODE></PRE> <P>So that should give you a consolidated list of how many times total_bytes occurs by dest over the entire time period. One final piece is to search that result for where is greater than 47. Or equal to 48. Or larger than 5, whatever, you'll easily see how to make that happen... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <PRE><CODE>index="abc" | bucket _time span=30m | stats sum(bytes) as total_bytes by dest, _time | stats count by dest, total_bytes | search count&gt;47 </CODE></PRE> <P>Do those, step by step so that you can a) modify it a bit if I got a field name wrong or something, and b) so you understand each piece. That way if you have a similar problem you should be able to handle it yourself!</P> <P>Happy Splunking,<BR /> Rich</P> Tue, 29 Sep 2020 22:13:00 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406489#M4725 Richfez 2020-09-29T22:13:00Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406490#M4726 <P>Thank you , Rich. </P> Sat, 01 Dec 2018 02:46:49 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-query-for-similar-events-from-aggregated-data-and-few/m-p/406490#M4726 mahe90 2018-12-01T02:46:49Z