https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588225#M204852 <P>Thanks for increasing my knowledge on this, sincerely appreciated.<BR /><BR /></P><P>&nbsp;</P> Wed, 09 Mar 2022 12:35:55 GMT Gurv_Bahad 2022-03-09T12:35:55Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/587996#M204785 <P>index=Network dest_ip=xx.xx.xx.xx action=allowed</P> <P>Trying to list total allowed connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and show which days are busiest and also if possible to determine when during the day do the number of connections peak.</P> <P>Any help would be greatly appreciated.</P> Tue, 08 Mar 2022 22:09:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/587996#M204785 Gurv_Bahad 2022-03-08T22:09:10Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588002#M204786 <P>What did you try so far?</P> Tue, 08 Mar 2022 11:27:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588002#M204786 PickleRick 2022-03-08T11:27:20Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588011#M204789 efforts so far include; mysearch| timechart span=1d count by src_ip limit=0 Which displays a grid of IP's against days. Right now, just total connections per day are needed. Peaks during the day itself would be nice. Trying a few suggestions on similar questions posted but none produce the desired results Tue, 08 Mar 2022 12:12:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588011#M204789 Gurv_Bahad 2022-03-08T12:12:19Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588037#M204797 <P>Well, there are two approaches to prepare this data, one is pretty as you wrote it:</P><PRE>&lt;yoursearch&gt; | timechart span=1d count by src_ip limit=0</PRE><P>The other one is done a bit differently</P><PRE>&lt;yoursearch&gt; | bin span=1d | stats count by src_ip _time</PRE><P>They should produce the same results, just differently "formatted" - first one, as you noticed, will produce a grid of count by day/src_ip. The latter will show count by pair "day/src_ip".</P><P>You can transform one to another with untable/xyseries.</P> Tue, 08 Mar 2022 14:37:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588037#M204797 PickleRick 2022-03-08T14:37:53Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588214#M204846 <P><SPAN>Thanks for replying Rick,</SPAN></P><P><SPAN>Running the following:</SPAN></P><P><SPAN>index=Network dest_ip=xx.xx.xx.xx. action=allowed<BR />| bin span=1d | stats count by src_ip _time</SPAN></P><P><SPAN>Returns the following error:<BR /></SPAN><SPAN>Error in 'bin' command: You must specify a field to discretize.<BR /><BR />Not looking to list the source IP's, just need counts per day so have tried using:<BR /><BR />index=Network dest_ip=xx.xx.xx.xx. action=allowed&nbsp;| bin _time span=1d | stats count by _time<BR /><BR />Reading this as&nbsp;<BR />when the condition (index=Network dest_ip=xx.xx.xx.xx. action=allowed) has been met, break up time into 1 day Bins (bin _time span=1d ) and list total count of each time this condition is met for each Bin which is one day.<BR />Am I on the right track here?&nbsp;<BR /></SPAN></P> Wed, 09 Mar 2022 11:15:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588214#M204846 Gurv_Bahad 2022-03-09T11:15:34Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588221#M204849 <P>Sorry, of course I ommited the field with bin command (I often write the responses while walking my dog, without access to the live splunk environment :D)</P><P>And yes, your interpretation is quite correct. If there is no command, there's an implicit search so it could be written as well as</P><PRE>search index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time</PRE><P>And it means "search for events fulfilling given conditions", then "split it into day-sized bins/buckets" (the bin command does that by "adjusting" the _time field to the earliest possible time of this bin. So if you have span=1d, all your events from that day will be aligned to the midnight at the day's beginning.</P><P>As the last step of the pipeline you have "calculate count of events for each unique value of _time field". Since we did the binning in the previous step, we have all events "groupped" at the beginning of the day so we have just one _time value per whole day.</P><P>Since you're not splitting the data by any other fields, you can get pretty much the same results by</P><PRE>search index=Network dest_ip=xx.xx.xx.xx. action=allowed | timechart span=1d count</PRE><P>&nbsp;</P> Wed, 09 Mar 2022 12:02:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588221#M204849 PickleRick 2022-03-09T12:02:54Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588225#M204852 <P>Thanks for increasing my knowledge on this, sincerely appreciated.<BR /><BR /></P><P>&nbsp;</P> Wed, 09 Mar 2022 12:35:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-volume-of-connections-per-day-of-the-week-to/m-p/588225#M204852 Gurv_Bahad 2022-03-09T12:35:55Z