We have not been using the Splunk ES for long and the “xswhere” used for this notable is an extreme search. The extreme search provides a non-fixed threshold on when to alert, but it needs time to first baseline. During this time, this correlation rule may be very active in creating notables, as it has yet to establish a base line for each destination port.
| tstats allowoldsummaries=true count,values(AllTraffic.tag) as tag from datamodel=NetworkTraffic.AllTraffic where nodename=AllTraffic.TrafficBySource.LANTraffic by AllTraffic.destport
| xswhere count from countbydestport1d in networktraffic by dest_port is extreme
I tried to remove some of the ips of the known devices to reduce the count by updating the query.
| tstats allowoldsummaries=true count,values(AllTraffic.tag) as tag, **values(AllTraffic.srcip) as srcip** from datamodel=NetworkTraffic.AllTraffic where nodename=AllTraffic.TrafficBySource.LANTraffic by AllTraffic.destport
| lookup testexclude.csv ip as srcip outputnew ip as ip
| where src_ip!=ip
| xswhere count from countbydestport1d in networktraffic by destport is extreme
And also I know we can check the current threshold level for this using extreme search but I am unable to do that. And update the query in some way.
But I am not sure about it.
And also I know we can check the current threshold level for this using extreme search
| inputlookup network_traffic.context.csv | table class,concept,center,count,domainMax,domainMin,points,size,type
Add this to look at a given port:
| search class=9571
Check the 3 pipe-separated values in points, per concept, e.g.:
Hi, this has a backing context generation search that you should review: Network - Port Activity By Destination Port - Context Gen.
I also recommend getting the Extreme Search Visualization app, which has tools for visually reviewing contexts and more documentation. https://splunkbase.splunk.com/app/2855/