All Apps and Add-ons

Cisco ASA volume detection today against same day from the last week.

Path Finder

Hi team!

I need to detect a volume of daily traffic. I would like to be able to compare it with the same day of the week before.

If I exceed 20% that creates an alert.

This is my actual search but it is not working.

index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown  src_ip=10.0.11.23  earliest=-4w   | eval gb=bytes/1024/1024/1024
 | timechart sum(gb) span=1h 
 | where strftime(_time, "%A") == strftime(now(),"%A") 
 | timewrap w 
 | rename "* ago" as * | addtotals "2w" "3w" "4w" | eval avg=Total/3.0  | rename latest_week as Today 1week_before as Lastday _time as Date | eval ChangePercent = (Today - Lastday) / 100 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)  | where ChangePercent > 0.2

Thank you!

0 Karma

Esteemed Legend

Check out this INCREDIBLE answer from @mmodestino_splunk here (be SURE to UpVote😞
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html

0 Karma

Super Champion

If you just want to alert between two points in time, may be good to have two searches rather than scanning whole of 4 weeks. If you are scanning just for 1hour slot, then just scan for that hour slot only
For example last week, 1 hour slot would be -169h and -168h

index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown src_ip=10.0.11.23 earliest=-169h earliest= -168h
| stats sum(bytes) as bytes_lastWeek
| join [search index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown src_ip=10.0.11.23 earliest=-2h earliest=-1h
| stats sum(bytes) as bytes as bytes_thisWeek ]
| percentage=(bytes_thisWeek-bytes_lastWeek)/100

..
something like that..

0 Karma