Reporting

How to factor throttled results into a report on historical events

sssinqiry5
Engager

Hi all,

I have a platform sending me events every 30 seconds, and will batch the events based on a distinct variable “tomatoes” and send to the relevant team every 10 mins as an alert.

I wrote the below to  show management the total number of raw events vs the number of alerts being sent, based on historical data. I have now been asked to report on what the numbers would be if I throttled the alerts so that a distinct tomato would not create a new alert for 1 hour, and I have no idea how to do this.

I don't need help with writing the alert, but I need help on creating a report. The throttled alerts have not been created yet, I need to figure out how to remove a distinct IP from the results for 1hour and then put them back in.

index=*

| bin _time span=10m

| eval time=strftime(_time, "%m/%d/%Y %H:%M")

| stats dc(tomatoes), count by time

| rename dc(tomatoes) as tomatoes, count as tomatoes

| table time, distinct_ tomatoes, total_ tomatoes

| appendpipe

[stats sum(distinct_ tomatoes) as distinct_ tomatoes sum(total_ tomatoes) as total_ tomatoes

    | eval time="Total" ]

| appendpipe

    [where time!="Total"

    | stats avg(distinct_ tomatoes) as distinct_ tomatoes avg(total_ tomatoes) as total_ tomatoes

    | eval distinct_ tomatoes =round(distinct_IP,1), total_ tomatoes =round(total_IP,1)

    | eval time="Average"]

time                   distinct_tomatoes         total_tomatoes

03/24/2022 19:00           1            4

03/24/2022 19:10           1            2

03/24/2022 19:20           2            5

03/24/2022 19:30           1            4

03/24/2022 19:40           1            5

03/24/2022 19:50           3            5

Total                                       9            25

Average                                1.5         4.2
Labels (2)
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...