Creating a Splunk Alert Rule for Anomoly's detecte...

Splunk Search

Hello,

I am trying to create a splunk alert to trigger when it detects an anomaly in the firewall logs based on IDS signature.

I created a pretty good graph that would work well in a dasboard, but I need it to populate a table or stats on when a outlier is found and which signature it is.

This is what I have so far:

index="firewall" sourcetype="threat" tag=attack action=allowed
| bin _time span=4h
| eventstats count(signature) as "Count" by _time
| eventstats values(Count) as valu
| eventstats count(valu) as help by _time
| eventstats median(Count) as med
| eval newValue = abs(Count-med)
| eventstats median(newValue) as medianAbsDev by signature
| eval upper = med+(medianAbsDev*1.1)
| eval lower = 0
| eval isOutlier=if(Count < lower OR Count > upper, 1,0)
| timechart count span=1h count(signature) as CountOfIndicator, eval(values(upper)) as upperl, eval(values(lower)) as lowerl, eval(values(isOutlier)) as Outliers by signature usenull=f useother=f
|filldown

I just need to be able to identify the outliers in a table so I can have it generate an alert when the query has results.

Get Updates on the Splunk Community!

Creating a Splunk Alert Rule for Anomoly's detected

chart

stats

table

timechart

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?