Getting Data In

How do you use NetFlow to detect traffic spikes over a 10 min window by src_ip?

honey4sec
Explorer

Hi,

I am currently trying to create a search that looks at NetFlow data from all our hosts using a specified port 389

The value(traffic) is not fixed as some of our hosts have a normal hight chattiness using LDAP.

So my problem is that I haven't figured out how to create a search that's able to find the spikes in traffic.

What i do is trying to count packets, and say if the volume is doubled within the timewindow of 10 minutes, create an alert for that one host(src_ip)

Any tips or tricks?

I did try creating a search using moving average but the visual representation was all mumbled using timechart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...