Hi, I want to write "Sources Sending High Volume DNS Traffic" rule in Splunk. However, the following calculation does not work. The rule does not work true if you do not write this calculation. What is this calculation for? and How can I change this calculation ?
| where num_data_samples >=4 AND bytes_out > avg_bytes_out + 3 * stdev_bytes_out AND bytes_out > per_source_avg_bytes_out + 3 * per_source_stdev_bytes_out AND _time >= relative_time(maxtime, "@h")
Please elaborate on "does not work". Describe the expected results and how the calculation fails to match those expectations.
Have you verified all of the fields used in the calculation exist and have numeric values?
The calculation appears to be the part of the search that determines what is High Volume.
That may be a Good Thing. If you don't have a high volume of DNS traffic then the alert will return no results.
OTOH, it may be a bad thing. If your data doesn't contain the fields needed by the query then the alert will return no results regardless of the level of DNS traffic.
To determine which is the case, comment-out the where command and examine the results of the query. Confirm each field is present and has legitimate values. Compare the values to those used in the calculation to determine if they indicate a high volume or not.
Consider modifying the calculation to force the alert to trigger. This will confirm the query is working and that your traffic level is just too low to normally trigger the alert. Don't forget to restore the original calculation.
Hello I'm also working with this query i found there was an error on line 4 in the end , it shouldn't be :
Other thing is that you need to search All time.
In expressions like those, the field name is replaced with the field's value and then the expression is evaluated using common arithmetic rules.
Hello I was also wondering the same as I also want to implement this use case but searching all time consumes a lot of resources and I want to decrease it to a shorter time frame.
"where num_data_samples >=4"
why do u have 4 in your query?