Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How I can compare 1 day security metric to another day and also generate a metric report that shows low and high

ngwodo
Path Finder
‎12-28-2020 07:08 AM

I need help on how I  can compare 1 day security metric to another day and also generate a metric report that shows low and high and compare it to the security metric in the spreadsheet.

Below is the splunk query I have:

 

 

index=security sourcetype="Computers" "Computer Status"=Enabled earliest=-12mon@mon
| bin _time span=1day
| dedup _time sAMAccountName
| timechart span=1day count
| stats avg(count) AS avg stdev(count) AS stdev min(count) AS min max(count) AS max latest(count) AS latest_count
| eval min_thres=5000, max_thres=7500
| eval alert=if((latest_count<min_thres OR latest_count>max_thres), 1, 0)

Tags (1)
0 Karma
Reply

ngwodo
Path Finder
‎12-30-2020 06:26 AM

The Splunk query did not run. I am just giving you an update.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-29-2020 02:27 PM

sample:

| tstats count where index=_internal earliest=-2w@w latest=-2w@w+1d by _time span=1h
| append [| tstats count where index=_internal earliest=-1w@w latest=-1w@w+1d by _time span=1h ]
| eval time_range=if(_time <= relative_time(now(),"-1w@w-1"),"last_week","current_week")
| eventstats avg(count) AS avg stdev(count) AS stdev min(count) AS min max(count) AS max latest(count) AS latest_count by time_range
| eval time=strftime(_time,"%T")
| xyseries time time_range *
| rename "*: current_week" as current_week:*, "*: last_week" as last_week:*

xyseries would be a good choice.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...