index=Network dest_ip=xx.xx.xx.xx action=allowed
Trying to list total allowed connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and show which days are busiest and also if possible to determine when during the day do the number of connections peak.
Any help would be greatly appreciated.
Sorry, of course I ommited the field with bin command (I often write the responses while walking my dog, without access to the live splunk environment :D)
And yes, your interpretation is quite correct. If there is no command, there's an implicit search so it could be written as well as
search index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time
And it means "search for events fulfilling given conditions", then "split it into day-sized bins/buckets" (the bin command does that by "adjusting" the _time field to the earliest possible time of this bin. So if you have span=1d, all your events from that day will be aligned to the midnight at the day's beginning.
As the last step of the pipeline you have "calculate count of events for each unique value of _time field". Since we did the binning in the previous step, we have all events "groupped" at the beginning of the day so we have just one _time value per whole day.
Since you're not splitting the data by any other fields, you can get pretty much the same results by
search index=Network dest_ip=xx.xx.xx.xx. action=allowed | timechart span=1d count
What did you try so far?
Well, there are two approaches to prepare this data, one is pretty as you wrote it:
<yoursearch> | timechart span=1d count by src_ip limit=0
The other one is done a bit differently
<yoursearch> | bin span=1d | stats count by src_ip _time
They should produce the same results, just differently "formatted" - first one, as you noticed, will produce a grid of count by day/src_ip. The latter will show count by pair "day/src_ip".
You can transform one to another with untable/xyseries.
Thanks for replying Rick,
Running the following:
index=Network dest_ip=xx.xx.xx.xx. action=allowed
| bin span=1d | stats count by src_ip _time
Returns the following error:
Error in 'bin' command: You must specify a field to discretize.
Not looking to list the source IP's, just need counts per day so have tried using:
index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time
Reading this as
when the condition (index=Network dest_ip=xx.xx.xx.xx. action=allowed) has been met, break up time into 1 day Bins (bin _time span=1d ) and list total count of each time this condition is met for each Bin which is one day.
Am I on the right track here?
Sorry, of course I ommited the field with bin command (I often write the responses while walking my dog, without access to the live splunk environment :D)
And yes, your interpretation is quite correct. If there is no command, there's an implicit search so it could be written as well as
search index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time
And it means "search for events fulfilling given conditions", then "split it into day-sized bins/buckets" (the bin command does that by "adjusting" the _time field to the earliest possible time of this bin. So if you have span=1d, all your events from that day will be aligned to the midnight at the day's beginning.
As the last step of the pipeline you have "calculate count of events for each unique value of _time field". Since we did the binning in the previous step, we have all events "groupped" at the beginning of the day so we have just one _time value per whole day.
Since you're not splitting the data by any other fields, you can get pretty much the same results by
search index=Network dest_ip=xx.xx.xx.xx. action=allowed | timechart span=1d count
Thanks for increasing my knowledge on this, sincerely appreciated.