Splunk Search

How I can compare 1 day security metric to another day and also generate a metric report that shows low and high

ngwodo
Path Finder

I need help on how I  can compare 1 day security metric to another day and also generate a metric report that shows low and high and compare it to the security metric in the spreadsheet.

Below is the splunk query I have:

 

 

index=security sourcetype="Computers" "Computer Status"=Enabled earliest=-12mon@mon
| bin _time span=1day
| dedup _time sAMAccountName
| timechart span=1day count
| stats avg(count) AS avg stdev(count) AS stdev min(count) AS min max(count) AS max latest(count) AS latest_count
| eval min_thres=5000, max_thres=7500
| eval alert=if((latest_count<min_thres OR latest_count>max_thres), 1, 0)

Tags (1)
0 Karma

ngwodo
Path Finder

The Splunk query did not run. I am just giving you an update.

0 Karma

to4kawa
Ultra Champion

sample:

| tstats count where index=_internal earliest=-2w@w latest=-2w@w+1d by _time span=1h
| append [| tstats count where index=_internal earliest=-1w@w latest=-1w@w+1d by _time span=1h ]
| eval time_range=if(_time <= relative_time(now(),"-1w@w-1"),"last_week","current_week")
| eventstats avg(count) AS avg stdev(count) AS stdev min(count) AS min max(count) AS max latest(count) AS latest_count by time_range
| eval time=strftime(_time,"%T")
| xyseries time time_range *
| rename "*: current_week" as current_week:*, "*: last_week" as last_week:*

xyseries would be a good choice.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...