Splunk Search

Get average connections for the past few days, compare to current connections

Explorer

I have the following search, I'm trying to get it to show the src, dst, current amount of connections, and then an average of how many times the src connects to the dst.

Something doesn't seem right with the code I have, I think something is wrong with the avg function I have in there.

I would like it to go back a few days and give me the average amount of connections based on those results and then show me what's currently happening.

For instance:

src       dst       Current    AVG
0.0.0.0   0.0.0.1   4450       300

This is not right:

index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed 
|eventstats count by dest_ip | rename count as "Current Connections"
|bucket span=15m _time
|eventstats count by src_ip | rename count as "Average Connections"
|table  src_ip, dest_ip,"Current Connections", "Average Connections"
Tags (2)
0 Karma
1 Solution

Esteemed Legend

Try this:

index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed 
| bin _time span=15m
| stats count BY src_ip dest_ip _time
| stats first(count) AS "Current Connections" avg(count) AS "Average Connections" BY src_ip dest_ip

View solution in original post

Esteemed Legend

Try this:

index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed 
| bin _time span=15m
| stats count BY src_ip dest_ip _time
| stats first(count) AS "Current Connections" avg(count) AS "Average Connections" BY src_ip dest_ip

View solution in original post

Explorer

Looks like it works. Thank ya much!

0 Karma