Splunk Search

Average of web requests blocked - span of 10 minutes

rookie507SL
New Member

Hi mates,

I'm trying to get the most 10 IP addresses with blocked web requests during a month, but the threshold should be using the count of requests during a 10 minutes window.

This is my query so far

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter | bucket _time span=10m
| stats count by source_ip URL 
| where count > 50

If I use the query above, I will get the IP addresses and URL visited. But, if I search for a month using this query, I will get a sum of the "count" value, getting results of 7,000 for example.

I would like to get an average of the count value, and this way I can see which IP addresses are involved in this type of traffic.

I read about using avg(field), but I cannot decide where to use it. I thought about including "stats avg(count)" but I cannot get results.

Please, any idea would be appreciated.

Thanks !

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50

View solution in original post

0 Karma

rookie507SL
New Member

Sorry for the late response.

Really thank you for your reply, it worked.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!