Splunk Search

How to find Network Traffic Outliers?

Hisae
Engager

Hello Everyone,

I am trying to find outliers in connection duration on a specific subnet but having trouble getting the outliers part to show any results. I want to get avg duration of all traffic connections from a subnet (or list of IPs) by sourceIP and application. So I am grabbing the average of connections in a 15m bin. After evaluating the outliers I want to display the time bin, sourceIP, application, AvgDuration and Outlier

I have tried following 2 queries till now and neither gives results when I try to get the results:

1.
index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats avg(duration) AS AvgTotal by sourceip, _time, app
| eval outlier=if(duration>AvgTotal*3,1,0)
| table _time sourceip app AvgDuration outlier

2.
index=firewall sourceip=10.1.11.1
| timechart span=15m avg(duration) AS AvgDuration by sourceip, _time, app
| eval outlier=if(duration>AvgDuration*3,1,0)
| table _time sourceip app AvgDuration outlier

This is just a test query I am trying, with plans to build on it. I think there something wrong in how I am calling the table. What am I doing wrong in the 2 queries?

Labels (3)
Tags (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @Hisae 

You're on the right track but after transforming the output into a table (with the stats command) you lose the duration field, so you need to output that as a column (field) too.  Something like this...

 

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats
    avg(duration) AS AvgTotal
    max(duration) AS MaxDuration
    perc95(duration) AS perc95Duration
  BY _time sourceip app
| eval outlier=if(MaxDuration > (AvgTotal*3), "yes", "no")
| table _time sourceip app AvgTotal perc95Duration MaxDuration outlier

 

 
Hope it helps. 

View solution in original post

0 Karma

yeahnah
Motivator

Hi @Hisae 

You're on the right track but after transforming the output into a table (with the stats command) you lose the duration field, so you need to output that as a column (field) too.  Something like this...

 

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats
    avg(duration) AS AvgTotal
    max(duration) AS MaxDuration
    perc95(duration) AS perc95Duration
  BY _time sourceip app
| eval outlier=if(MaxDuration > (AvgTotal*3), "yes", "no")
| table _time sourceip app AvgTotal perc95Duration MaxDuration outlier

 

 
Hope it helps. 

0 Karma

Hisae
Engager

Thank you! It didn't work as a copy paste but I made a few changes to make it work. This is what worked:

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats avg(duration) AS AvgTotal max(duration) AS MaxDuration by sourceip app
| eval outlier=if(MaxDuration>(AvgTotal*3), "yes", "no")
| table _time sourceip AvgTotal MaxDuration app outlier

I will try to make the 95th percentile work, it adds good context.
Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...