Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I create a search for any host sending excessive logs in compare to last hour

rahul_mckc_splu
Loves-to-Learn
‎05-15-2020 12:09 PM

Please help me to create a search, where I need to detect any anomaly of any host sending excessive logs with compare to the last hour.

For eg, if a host is sending x events this hour and next hour if it will send x+25% then we should get a trigger.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-16-2020 12:38 AM

Hi @rahul_mckc_splunk1
as @to4kawa hints, try something like this:

index=your_index earliest=-2@h latest=@h
| timechart count span=1h
| delta count AS diff
| reverse
| head 1
| eval perc=diff/count*100
| where perc>25

and run this search every hour.

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎05-15-2020 05:57 PM

bin _time , stats by _time and eval is useful to create threshold
finally, use where to fire alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...