https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446960#M11524 <P>@bestSplunker you can refer to <A href="https://docs.splunk.com/Documentation/MLApp/latest/User/DNOExperiment">Detect Numerical Outlier</A> examples in <A href="https://splunkbase.splunk.com/app/2890/">Splunk Machine Learning Toolkit</A> to check out methods to find outliers and choose the best one as per your data needs. Refer to recent answer: <A href="https://answers.splunk.com/answers/754085/calculating-median-of-count-over-time.html">https://answers.splunk.com/answers/754085/calculating-median-of-count-over-time.html</A></P> <P>Even if you do not install MLTK in your production system you can use the SPL directly (generated by MLTK in non-prod system) along with Splunk's built in visualization to depict the outliers. Refer to an older answer of mine: <A href="https://answers.splunk.com/answers/747177/how-to-add-a-reference-line-to-an-outlier-chart-cr.html">https://answers.splunk.com/answers/747177/how-to-add-a-reference-line-to-an-outlier-chart-cr.html</A></P> Wed, 03 Jul 2019 01:58:13 GMT niketn 2019-07-03T01:58:13Z https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446958#M11522 <P>hi. everyone .</P> <P>My website has some API interfaces. Sometimes malicious attacks will request these api continuously. It is clear on the time chart that the peak has been reached. How do I detect and alert?</P> <P>for example:</P> <P>I have a search like this now, I can see the number of requests per hour for these URIs.</P> <PRE><CODE>index = web sourcetype=nginx_access uri=/api/getuserInfo OR uri=/api/featchData OR uri=/login OR uri=/home |timechart span=1h count by uri </CODE></PRE> <P>under normal conditions the request per hour of <CODE>/api/getuserInfo</CODE> is about 1000~5000 times, if a certain time period encounters a malicious attack, the interface requests 50,000 times. I think this is an anomaly. How should I use a smarter method to detect abnormal peaks and issue alarms?</P> <P>I think of a stupid way, i can write the number of api interface requests per hour to csv or kvstore, and then use today's and yesterday's comparisons to see the magnitude of the rise. If the rise is too high, I think this is abnormal peaks</P> <P>But I think there are more efficient methods, such as machine learning? Can someone help me and share a use case with me, thank you</P> <P>Note: I have a lot of API interfaces, about 20, I want to monitor the abnormal peak of each API interface,</P> Tue, 02 Jul 2019 08:05:57 GMT https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446958#M11522 bestSplunker 2019-07-02T08:05:57Z https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446959#M11523 <P>Check this out:<BR /> <A href="https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html">https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html</A></P> Tue, 02 Jul 2019 14:23:59 GMT https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446959#M11523 woodcock 2019-07-02T14:23:59Z https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446960#M11524 <P>@bestSplunker you can refer to <A href="https://docs.splunk.com/Documentation/MLApp/latest/User/DNOExperiment">Detect Numerical Outlier</A> examples in <A href="https://splunkbase.splunk.com/app/2890/">Splunk Machine Learning Toolkit</A> to check out methods to find outliers and choose the best one as per your data needs. Refer to recent answer: <A href="https://answers.splunk.com/answers/754085/calculating-median-of-count-over-time.html">https://answers.splunk.com/answers/754085/calculating-median-of-count-over-time.html</A></P> <P>Even if you do not install MLTK in your production system you can use the SPL directly (generated by MLTK in non-prod system) along with Splunk's built in visualization to depict the outliers. Refer to an older answer of mine: <A href="https://answers.splunk.com/answers/747177/how-to-add-a-reference-line-to-an-outlier-chart-cr.html">https://answers.splunk.com/answers/747177/how-to-add-a-reference-line-to-an-outlier-chart-cr.html</A></P> Wed, 03 Jul 2019 01:58:13 GMT https://community.splunk.com/t5/Alerting/How-to-detect-and-alert-abnormal-spikes-of-web-api-requests/m-p/446960#M11524 niketn 2019-07-03T01:58:13Z