Unusually high volume detection with respect to the same day of the previous week per server

christianubeda — Mon, 27 May 2019 16:38:02 GMT

It would be possible to detect an increase in volume per server.

This is my current search that looks global but would need one per server without having to create 100 search one by src_Ip = ...

index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=allowed  earliest=-1w
 | timechart count span=1d perc95(avg) 
 | where strftime(_time, "%A") == strftime(now(),"%A") 
 | timewrap w 
 | rename "* ago" as * | eval avg=Total/3.0 | rename latest_week as Today 1week_before as Lastday _time as Date | eval ChangePercent = (Today - Lastday) / 100 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)  | where ChangePercent > 0.20

Thank you!

Re: Unusually high volume detection with respect to the same day of the previous week per server

koshyk — Mon, 27 May 2019 19:38:13 GMT

Is this same question as https://answers.splunk.com/answers/748738/cisco-asa-volume-detection-today-against-same-day.html ?
If not, you could do it very similar to the above question

topic Unusually high volume detection with respect to the same day of the previous week per server in Splunk Search

Unusually high volume detection with respect to the same day of the previous week per server

Re: Unusually high volume detection with respect to the same day of the previous week per server