easy way to determine cause for increase in traffi...

dtakacssplunk · ‎10-19-2020

suppose my logs have fields A=a1..aN, B=b1..bN, C=c1..cN
and I see an increase in number of requests, i.e
index=* | bucket _time span=1h | stats count by _time
Is there a special query that I can execute which allows me to easily figure out which dimension / value is contributing to the increase most?
e.g. the outcome would be
A=a423 has increased the traffic the most

bowesmana · ‎10-19-2020

This is a bit fiddly as normally you could use top to find the most common field. One question, do you want to have your top field shown by 1 hour time as in your example.

Anyway, you can try this

index=*
| bucket _time span=1h
| eventstats count as topA by A _time
| eventstats count as topB by B _time
| eventstats count as topC by C _time
| eventstats max(topA) as maxA by _time
| eventstats max(topB) as maxB by _time
| eventstats max(topC) as maxC by _time
| where topA=maxA OR topB=maxB OR topC=maxC
| stats values(eval(if(topA=maxA,A,null()))) as A 
        values(eval(if(topB=maxB,B,null()))) as B 
        values(eval(if(topC=maxC,C,null()))) as C
        max(max*) as max* by _time
| table _time A maxA B maxB C maxC

It's heavy on using eventstats, which is not very efficient, but is calculating counts of each of the fields then looking for the max of those fields and then filtering only the ones that are max for each of the fields.

The final stats is then working out the values of each field (there could be more than one value with the same count)

This will give you the max of each field in the given time period

Hope this is useful

I may have over complicated it, but I can't think of a simple solution at the moment, others may chime in.

easy way to determine cause for increase in traffic

other

using Splunk Enterprise

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life