topic Re: Average of web requests blocked - span of 10 minutes in Splunk Search

Average of web requests blocked - span of 10 minutes

rookie507SL — Wed, 06 Sep 2017 23:32:53 GMT

Hi mates,

I'm trying to get the most 10 IP addresses with blocked web requests during a month, but the threshold should be using the count of requests during a 10 minutes window.

This is my query so far

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter | bucket _time span=10m
| stats count by source_ip URL 
| where count > 50

If I use the query above, I will get the IP addresses and URL visited. But, if I search for a month using this query, I will get a sum of the "count" value, getting results of 7,000 for example.

I would like to get an average of the count value, and this way I can see which IP addresses are involved in this type of traffic.

I read about using avg(field), but I cannot decide where to use it. I thought about including "stats avg(count)" but I cannot get results.

Please, any idea would be appreciated.

Thanks !

Re: Average of web requests blocked - span of 10 minutes

woodcock — Thu, 07 Sep 2017 02:18:50 GMT

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50

Re: Average of web requests blocked - span of 10 minutes

rookie507SL — Wed, 13 Sep 2017 13:52:57 GMT

Sorry for the late response.

Really thank you for your reply, it worked.