Solved: How to Grab Variance

a_n · ‎06-25-2021

Hello,

I am ingesting files containing host and ports for each host.

For each Source (FILE) The Nodes(host) and ports are being extracted and since I have many ports per node I have data as:
FILE #1, NodeX, Port: 443/tcp, 80/tcp,21/tcp (and more...)
-->using mvexpand for FILE#1 I have:
Node, Port
X, 443
X, 80
X,21
-->for FILE#2 I have the same
--> for file #3, I have:
X, 443
X, 80
(one port is missing, or in other scenarios added)
so the count for Node X per FILE will be
FILE, Count
File#1, 3
File#2, 3
File#3, 2

I want to grab when there is a change in that count and raise an alert.
I managed to show it on chart, but as I have many nodes, the chart is not suitable.
Can any one advise the best way to grab this variance and set the alert?
Thank you.

ITWhisperer · ‎06-25-2021

Try something like this

| dedup source node port
| stats count by node port
| eventstats max(count) as sources by node port
| where count!= sources

View solution in original post

a_n · ‎06-25-2021

Thank you,

With some minor modifications, it worked.
Appreciates.

ITWhisperer · ‎06-25-2021

Try something like this

| dedup source node port
| stats count by node port
| eventstats max(count) as sources by node port
| where count!= sources

How to Grab Variance

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation