Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Graphing Weighted Values

nickhills
Ultra Champion
‎10-25-2011 05:01 AM

we have log files which record incoming connections from our clients and the device_id.
we would like to graph a representative number of incoming connections weighted by the number of devices they have. The idea being that if a customer has an unusually high number of connections for the devices they have, it would indicate an issue.

our log files look like this:

2011-10-25 12:06:44.829 : DLG : INFO   : DeviceConnection [device_id:088243] [client:abc.com] new connection event with client id

i have field extractions for device_id and client_id, but cant work our how to graph this.

what i want is number of connectons for client_id / number of device_ids (where number of devices come from occurrences in the logs across the same time period)

i think i need an eval statement, but cant quite figure out the syntax. Can anyone help, or point me in the right direction.

thanks very much.

If my comment helps, please give it a thumbs up!
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-25-2011 11:08 AM

I don't really understand what you're asking or why you're taking min(countdev), but seems to me that

ssourcetype=DLOG "new connection" 
| stats count as connections, dc(device_id) as num_devices by client_id
| eval ratio = connections/num_devices

gives you the connections for each client, and the number of devices for each client, and divides them. You can add a | sort - ratio to see the most suspicious ones.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎10-25-2011 11:55 AM

gkanapathy,

thanks for your comment, it was enough to push me in the right direction.... this is what worked.

sourcetype=DLOG "new connection" |stats count as connections,dc(device_id) as num_devices by client_id| eval ratio = connections/num_devices|stats avg(ratio) AS Connection_Ratio by client_id|sort -Connection_Ratio limit=10

thanks very much!

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-25-2011 12:01 PM

Your second stats command does not do anything at all other than remove and rename some fields, and you can do this much more clearly and efficiently with the fields command, and by selecting the right field names in the first place (in the eval).

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎10-25-2011 11:08 AM

I don't really understand what you're asking or why you're taking min(countdev), but seems to me that

ssourcetype=DLOG "new connection" 
| stats count as connections, dc(device_id) as num_devices by client_id
| eval ratio = connections/num_devices

gives you the connections for each client, and the number of devices for each client, and divides them. You can add a | sort - ratio to see the most suspicious ones.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎10-25-2011 08:01 AM

I have now got as far as the following:

 sourcetype=DLOG "new connection" client_id=536352|eventstats dc(device_conn_id) AS numdev|eventstats count(device_conn_id) AS countdev|eval ratio=(countdev/numdev)|stats min(countdev) by client_id,numdev,ratio

this gives me a ratio field, which is number of events / number of devices.

but i want to run this against all client ids, but when i remove the client id from the search, it returns totals (across all accounts), and thus 1 identical ratio and number of events for all clients.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...