Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to detected a Deviation of 20% vs weekly average?

christianubeda
Path Finder
‎05-07-2019 03:20 AM

Hi team!

I need to do that:

Eventcode = 4624 and 4634 with Logon Type = 10. An event will be generated if an access volume above normal is detected. Deviation of 20% vs weekly average.

This is my search right now;

index=* index=* (EventCode=4624 OR EventCode=4634) eventtype=wineventlog_security
| stats values(host), values(EventCodeDescription), values(Changes), values(Account_Domain), values(action) by _time
| rename values(host) as Host, values(EventCodeDescription) as Description, values(Changes) as Changes, values(Account_Domain) as "Account Domain", values(action) as Action, _time as Date
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(Date)

But I dont know how to detected a Deviation of 20% vs weekly average. I mean, how can I do that?

Thank you a lot.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-08-2019 07:16 AM

Check out this great Q&A (don't forget to UpVote) and links:
https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html

0 Karma
Reply

DavidHourani
Super Champion
‎05-07-2019 03:57 AM

Hi @christianubeda,

You seem to be looking for something like this :

index="_audit" | timechart span=1h count as A | eventstats avg(A) as WeeklyAverage | tail 1 | eval Result=(A/WeeklyAverage)*100

From there tweak the span to compare per hour/day/week and use the result for your threshold condition.

Cheers,
David

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...