topic Re: What does "bin _time span=100ms, eval H=len(_raw),transaction and maxevents" mean in this whole search? in Splunk Search

What does "bin _time span=100ms, eval H=len(_raw),transaction and maxevents" mean in this whole search?

M_fahad_hassan — Wed, 04 Nov 2020 17:30:32 GMT

Hi,

I am having confusion in understanding some portion of following search. Can anyone help me in understanding it please.

index=main | where cidrmatch("192.168.10.1285", src_ip) AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | bin _time span=1m | eval H=len(_raw) | stats count as W(H) mean(H) stdev(H) BY _time src_ip | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip) AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | transaction src_ip dst_ip maxevents=2 | bin _time span=1m | eval HH_jit=len(_raw) | stats count as W(HH_jit) mean(HH_jit) stdev(HH_jit) BY _time src_ip dst_ip] | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip) AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | bin _time span=1m | eval HpHp=len(_raw) | stats count as W(HpHp) mean(HpHp) stdev(HpHp) BY _time src_ip src_port dst_ip dst_port] | table _time W(H) mean(H) stdev(H) W(HH_jit) mean(HH_jit) stdev(HH_jit) W(HpHp) mean(HpHp) stdev(HpHp) magnitude(HpHp) radius(HpHp) covariance(HpHp) correlation(HpHp)

It is used for the extraction of statistical features on the base of time frame like 35ms, 100ms, 1m. I am not understanding what it actually mean by time frame in it. what is the mean of "bin _time span", "eval H=len(_raw)" , "transaction" , "maxevents =2" means ? what is count doing here ?

covariance: An approximated covariance between two streams. what is mean between two streams here?

Here is some information use for aggregating the features

H=packet size transfer in a unidirectional (host to all)

HH_jit = difference in time between transaction with the same IP values(host to host)

HpHp= packet transfer from host to host taking ports (host: port to host: port)

I have read from splunk search reference page about these different terms but not getting a clear picture about this particular case.

I need urgent help, i would appreciate a reply as soon as possible.

Re: What does "bin _time span=100ms, eval H=len(_raw),transaction and maxevents" mean in this whole search?

richgalloway — Wed, 04 Nov 2020 18:25:42 GMT

The bin command puts events into groups ("bins") based on the field name supplied. Bin sizes are specified by the span option, in this case. In this query, the command is grouping timestamps (_time) into 1-minute intervals.

eval H=len(_raw) is finding the number of characters in the _raw field and storing that value in the field called "H".

The transaction command groups multiple events with the same values for the specified fields into a single event. The maxevents=2 option says each grouping must contain no more than 2 events.

RTFM: https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Bin

Re: What does "bin _time span=100ms, eval H=len(_raw),transaction and maxevents" mean in this whole search?

M_fahad_hassan — Wed, 04 Nov 2020 20:22:37 GMT

Thank you for your response.

what that time interval is doing i don't understand. Is it take 1 minute time difference from the times field and aggregate features on that basis like finding the mean of an packet size with a 1 minute time difference of values?

what is count doing there then? Still have question about An approximated covariance between two streams?