How to best track the frequency of repeating event...

pwild_splunk · ‎07-13-2020

Hi,

I'm after suggestions on how to best approach this problem.

I want to track over time how often I am seeing a mac address (src_mac) as categorised as:

first time: never seen before

daily: seen once per day for last 14 days

weekly: seen at least once per week for last 8 weeks

occasionally: seen before but not categorised as the above.

I then want to timechart this on a day-by-day basis.

gcusello · ‎07-13-2020

this is an heavy and long search, so you can have two approaches:

if you need a static server, you can schedule a report every night and access the results in the following 24 hours until the next execution;
if instead you want a dynamic report, you could schedule a search and store reults in a summary index, then use it to compare the results of the last day with the results of previous days from the summary index.

the first is easier (only one search) but static, the second has two parts (scheduled search and runtime search) but it's dynamic.

Ciao.

Giuseppe

How to best track the frequency of repeating events