Solved: How to Grab Variance

a_n · ‎06-25-2021

Hello,

I am ingesting files containing host and ports for each host.

For each Source (FILE) The Nodes(host) and ports are being extracted and since I have many ports per node I have data as:
FILE #1, NodeX, Port: 443/tcp, 80/tcp,21/tcp (and more...)
-->using mvexpand for FILE#1 I have:
Node, Port
X, 443
X, 80
X,21
-->for FILE#2 I have the same
--> for file #3, I have:
X, 443
X, 80
(one port is missing, or in other scenarios added)
so the count for Node X per FILE will be
FILE, Count
File#1, 3
File#2, 3
File#3, 2

I want to grab when there is a change in that count and raise an alert.
I managed to show it on chart, but as I have many nodes, the chart is not suitable.
Can any one advise the best way to grab this variance and set the alert?
Thank you.

ITWhisperer · ‎06-25-2021

Try something like this

| dedup source node port
| stats count by node port
| eventstats max(count) as sources by node port
| where count!= sources

View solution in original post

a_n · ‎06-25-2021

Thank you,

With some minor modifications, it worked.
Appreciates.

ITWhisperer · ‎06-25-2021

Try something like this

| dedup source node port
| stats count by node port
| eventstats max(count) as sources by node port
| where count!= sources

How to Grab Variance

other

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!