I want to check login behavior on a per-app basis. In short to look at when most logins happen, for example : if an application’s login behavior follows US business hours (~9am - ~6pm), but we see a login spike at 1am, that’s probably something strange. That’s the sort of things I’d like to find out.
Can anyone help me in this in writing SPL for this ?
Any suggestions will be helpful
Note: We are not using Splunk Enterprise security in our environment.
Collect your counts by the hour. Calculate the day of the week and hour ("%w%H"). Do this for your data and an average over the last month or two or whatever time period is appropriate. Then compare the count for the week and hour for the app to the average count for the week and hour for the app to see if there is a marked change. Alternatively, look at the machine learning options available with splunk.
thanks for giving alternate, machine learning in splunk seems better.
I know i need to do more than just an average + standard deviation (unless login volume really does follow a Gaussian distribution), so need to figure out a good method for baselining so for this probably need to do some basic five-number summary things to explore (min, max, median, first quartile, third quartile); keeping in mind the cyclic nature of the data (e.g., business hours + work days vs. off-hours and weekends).
So not sure how to approach in machine learning, which algorithm or method to start and also what search query to use to fit in algorithm for my use case.