Re: Cisco ASA volume detection today against same ...

christianubeda · ‎05-27-2019

Hi team!

I need to detect a volume of daily traffic. I would like to be able to compare it with the same day of the week before.

If I exceed 20% that creates an alert.

This is my actual search but it is not working.

index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown  src_ip=10.0.11.23  earliest=-4w   | eval gb=bytes/1024/1024/1024
 | timechart sum(gb) span=1h 
 | where strftime(_time, "%A") == strftime(now(),"%A") 
 | timewrap w 
 | rename "* ago" as * | addtotals "2w" "3w" "4w" | eval avg=Total/3.0  | rename latest_week as Today 1week_before as Lastday _time as Date | eval ChangePercent = (Today - Lastday) / 100 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)  | where ChangePercent > 0.2

Thank you!

woodcock · ‎11-10-2019

Check out this INCREDIBLE answer from @mmodestino_splunk here (be SURE to UpVote😞
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html

koshyk · ‎05-27-2019

If you just want to alert between two points in time, may be good to have two searches rather than scanning whole of 4 weeks. If you are scanning just for 1hour slot, then just scan for that hour slot only
For example last week, 1 hour slot would be -169h and -168h

index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown src_ip=10.0.11.23 earliest=-169h earliest= -168h
| stats sum(bytes) as bytes_lastWeek
| join [search index=cisco_asa sourcetype="cisco:asa" Cisco_ASA_action=teardown src_ip=10.0.11.23 earliest=-2h earliest=-1h
| stats sum(bytes) as bytes as bytes_thisWeek ]
| percentage=(bytes_thisWeek-bytes_lastWeek)/100

..
something like that..

Cisco ASA volume detection today against same day from the last week.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms