Is there a way of showing the percentage increase or decrease from the command:
"stats count as daycount by date_mday | streamstats avg(daycount)"
So you can see on a visualization if the events for that day are above or below average?
Thanks in advance.
you could add:
that should give you a positive or negative percentage from the count vs the average.
you can show the count and the percent change on a chart and put the percent change on the chart overlay for a visualization.
Maybe like this (you need to be more clear and show sample events with a mockup of the end goal data):
index=_* | stats count AS daycount BY date_mday | eventstats avg(daycount ) AS avg_daycount | eval deviation = daycount - avg_daycount
I was combing through some posts and came across your answer to this one and wanted to know if the following search based on your answer above was the most optimal way to identify a spike in the count for a host with ssh outbound activity. Search is as follows:
index=foo sourcetype="foo" dest_port=22 | stats count as hourcount by date_hour src | eventstats avg(hourcount) AS avg_hourcount by src | eval deviation = hourcount - avg_hourcount | eval percentChange=round(((hourcount-avg_hourcount)/abs(avg_hourcount))*100,2) | where percentChange > 200
I'm looking for a report/alert that takes the count per src every hour and compares it to the previous hour and calculates the percentage increase. I know there are many ways to skin a cat in Splunk, but was wondering if this search is the most optimal way to look for spikes in traffic.