Re: How I can compare 1 day security metric to ano...

ngwodo · ‎12-28-2020

I need help on how I can compare 1 day security metric to another day and also generate a metric report that shows low and high and compare it to the security metric in the spreadsheet.

Below is the splunk query I have:

index=security sourcetype="Computers" "Computer Status"=Enabled earliest=-12mon@mon
| bin _time span=1day
| dedup _time sAMAccountName
| timechart span=1day count
| stats avg(count) AS avg stdev(count) AS stdev min(count) AS min max(count) AS max latest(count) AS latest_count
| eval min_thres=5000, max_thres=7500
| eval alert=if((latest_count<min_thres OR latest_count>max_thres), 1, 0)

ngwodo · ‎12-30-2020

The Splunk query did not run. I am just giving you an update.

to4kawa · ‎12-29-2020

sample:

| tstats count where index=_internal earliest=-2w@w latest=-2w@w+1d by _time span=1h
| append [| tstats count where index=_internal earliest=-1w@w latest=-1w@w+1d by _time span=1h ]
| eval time_range=if(_time <= relative_time(now(),"-1w@w-1"),"last_week","current_week")
| eventstats avg(count) AS avg stdev(count) AS stdev min(count) AS min max(count) AS max latest(count) AS latest_count by time_range
| eval time=strftime(_time,"%T")
| xyseries time time_range *
| rename "*: current_week" as current_week:*, "*: last_week" as last_week:*

xyseries would be a good choice.

How I can compare 1 day security metric to another day and also generate a metric report that shows low and high

other

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2