Splunk Search

Average of web requests blocked - span of 10 minutes

rookie507SL
New Member

Hi mates,

I'm trying to get the most 10 IP addresses with blocked web requests during a month, but the threshold should be using the count of requests during a 10 minutes window.

This is my query so far

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter | bucket _time span=10m
| stats count by source_ip URL 
| where count > 50

If I use the query above, I will get the IP addresses and URL visited. But, if I search for a month using this query, I will get a sum of the "count" value, getting results of 7,000 for example.

I would like to get an average of the count value, and this way I can see which IP addresses are involved in this type of traffic.

I read about using avg(field), but I cannot decide where to use it. I thought about including "stats avg(count)" but I cannot get results.

Please, any idea would be appreciated.

Thanks !

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50
0 Karma

rookie507SL
New Member

Sorry for the late response.

Really thank you for your reply, it worked.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...