Hi,
Is there a way of showing the percentage increase or decrease from the command:
"stats count as daycount by date_mday | streamstats avg(daycount)"
So you can see on a visualization if the events for that day are above or below average?
Thanks in advance.
-Colin
Maybe like this (you need to be more clear and show sample events with a mockup of the end goal data):
index=_*
| stats count AS daycount BY date_mday
| eventstats avg(daycount ) AS avg_daycount
| eval deviation = daycount - avg_daycount
Woodcock,
I was combing through some posts and came across your answer to this one and wanted to know if the following search based on your answer above was the most optimal way to identify a spike in the count for a host with ssh outbound activity. Search is as follows:
index=foo sourcetype="foo" dest_port=22
| stats count as hourcount by date_hour src
| eventstats avg(hourcount) AS avg_hourcount by src
| eval deviation = hourcount - avg_hourcount
| eval percentChange=round(((hourcount-avg_hourcount)/abs(avg_hourcount))*100,2)
| where percentChange > 200
I'm looking for a report/alert that takes the count per src every hour and compares it to the previous hour and calculates the percentage increase. I know there are many ways to skin a cat in Splunk, but was wondering if this search is the most optimal way to look for spikes in traffic.
Thx
This definitely should work. Be aware that there some perc*
and stdev*
functions that you can use, too.
you could add:
...|eval percentChange=round(((daycount-avgdaycount)/abs(avdaycount))*100,2)
that should give you a positive or negative percentage from the count vs the average.
you can show the count and the percent change on a chart and put the percent change on the chart overlay for a visualization.