Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the volume of connections per day of the week to a single IP to show which days are busiest?

Gurv_Bahad
Engager
‎03-08-2022 03:05 AM

index=Network dest_ip=xx.xx.xx.xx action=allowed

Trying to list total allowed connections to destination IP by day, regardless of source to try and determine the volume of connections per day of the week and show which days are busiest and also if possible to determine when during the day do the number of connections peak.

Any help would be greatly appreciated.

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 04:02 AM

Sorry, of course I ommited the field with bin command (I often write the responses while walking my dog, without access to the live splunk environment :D)

And yes, your interpretation is quite correct. If there is no command, there's an implicit search so it could be written as well as

search index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time

And it means "search for events fulfilling given conditions", then "split it into day-sized bins/buckets" (the bin command does that by "adjusting" the _time field to the earliest possible time of this bin. So if you have span=1d, all your events from that day will be aligned to the midnight at the day's beginning.

As the last step of the pipeline you have "calculate count of events for each unique value of _time field". Since we did the binning in the previous step, we have all events "groupped" at the beginning of the day so we have just one _time value per whole day.

Since you're not splitting the data by any other fields, you can get pretty much the same results by

search index=Network dest_ip=xx.xx.xx.xx. action=allowed | timechart span=1d count

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-08-2022 03:27 AM

What did you try so far?

0 Karma
Reply
Solved! Jump to solution

Gurv_Bahad
Engager
‎03-08-2022 04:12 AM
efforts so far include; mysearch| timechart span=1d count by src_ip limit=0 Which displays a grid of IP's against days. Right now, just total connections per day are needed. Peaks during the day itself would be nice. Trying a few suggestions on similar questions posted but none produce the desired results
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-08-2022 06:37 AM

Well, there are two approaches to prepare this data, one is pretty as you wrote it:

<yoursearch> | timechart span=1d count by src_ip limit=0

The other one is done a bit differently

<yoursearch> | bin span=1d | stats count by src_ip _time

They should produce the same results, just differently "formatted" - first one, as you noticed, will produce a grid of count by day/src_ip. The latter will show count by pair "day/src_ip".

You can transform one to another with untable/xyseries.

0 Karma
Reply
Solved! Jump to solution

Gurv_Bahad
Engager
‎03-09-2022 02:59 AM

Thanks for replying Rick,

Running the following:

index=Network dest_ip=xx.xx.xx.xx. action=allowed
| bin span=1d | stats count by src_ip _time

Returns the following error:
Error in 'bin' command: You must specify a field to discretize.

Not looking to list the source IP's, just need counts per day so have tried using:

index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time

Reading this as 
when the condition (index=Network dest_ip=xx.xx.xx.xx. action=allowed) has been met, break up time into 1 day Bins (bin _time span=1d ) and list total count of each time this condition is met for each Bin which is one day.
Am I on the right track here? 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-09-2022 04:02 AM

Sorry, of course I ommited the field with bin command (I often write the responses while walking my dog, without access to the live splunk environment :D)

And yes, your interpretation is quite correct. If there is no command, there's an implicit search so it could be written as well as

search index=Network dest_ip=xx.xx.xx.xx. action=allowed | bin _time span=1d | stats count by _time

And it means "search for events fulfilling given conditions", then "split it into day-sized bins/buckets" (the bin command does that by "adjusting" the _time field to the earliest possible time of this bin. So if you have span=1d, all your events from that day will be aligned to the midnight at the day's beginning.

As the last step of the pipeline you have "calculate count of events for each unique value of _time field". Since we did the binning in the previous step, we have all events "groupped" at the beginning of the day so we have just one _time value per whole day.

Since you're not splitting the data by any other fields, you can get pretty much the same results by

search index=Network dest_ip=xx.xx.xx.xx. action=allowed | timechart span=1d count

 

0 Karma
Reply
Solved! Jump to solution

Gurv_Bahad
Engager
‎03-09-2022 04:35 AM

Thanks for increasing my knowledge on this, sincerely appreciated.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...