I am trying to create a splunk alert to trigger when it detects an anomaly in the firewall logs based on IDS signature.
I created a pretty good graph that would work well in a dasboard, but I need it to populate a table or stats on when a outlier is found and which signature it is.
This is what I have so far:
index="firewall" sourcetype="threat" tag=attack action=allowed | bin _time span=4h | eventstats count(signature) as "Count" by _time | eventstats values(Count) as valu | eventstats count(valu) as help by _time | eventstats median(Count) as med | eval newValue = abs(Count-med) | eventstats median(newValue) as medianAbsDev by signature | eval upper = med+(medianAbsDev*1.1) | eval lower = 0 | eval isOutlier=if(Count < lower OR Count > upper, 1,0) | timechart count span=1h count(signature) as CountOfIndicator, eval(values(upper)) as upperl, eval(values(lower)) as lowerl, eval(values(isOutlier)) as Outliers by signature usenull=f useother=f |filldown
I just need to be able to identify the outliers in a table so I can have it generate an alert when the query has results.