Splunk Search

How to Grab Variance

a_n
Path Finder

Hello,

I am ingesting  files containing host and ports for each host.

For each Source (FILE) The Nodes(host) and ports are being extracted and since I have many ports per node I have data as:
FILE #1, NodeX, Port: 443/tcp, 80/tcp,21/tcp (and more...)
-->using mvexpand for FILE#1 I have:
Node, Port
X, 443
X, 80
X,21 
-->for FILE#2 I have the same
--> for file #3, I have:
X, 443
X, 80
(one port is missing, or in other scenarios added)
so the count for Node X per FILE will be
FILE,     Count
File#1, 3
File#2, 3
File#3, 2


I want to grab when there is a change in that count and raise an alert.
I managed to show it on chart, but as I have many nodes, the chart is not suitable.
Can any one advise the best way to grab this variance and set the alert?
Thank you.

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| dedup source node port
| stats count by node port
| eventstats max(count) as sources by node port
| where count!= sources

View solution in original post

a_n
Path Finder

Thank you,

With some minor modifications, it worked.
Appreciates.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| dedup source node port
| stats count by node port
| eventstats max(count) as sources by node port
| where count!= sources
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...