Splunk Search

How to find Network Traffic Outliers?

Hisae
Engager

Hello Everyone,

I am trying to find outliers in connection duration on a specific subnet but having trouble getting the outliers part to show any results. I want to get avg duration of all traffic connections from a subnet (or list of IPs) by sourceIP and application. So I am grabbing the average of connections in a 15m bin. After evaluating the outliers I want to display the time bin, sourceIP, application, AvgDuration and Outlier

I have tried following 2 queries till now and neither gives results when I try to get the results:

1.
index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats avg(duration) AS AvgTotal by sourceip, _time, app
| eval outlier=if(duration>AvgTotal*3,1,0)
| table _time sourceip app AvgDuration outlier

2.
index=firewall sourceip=10.1.11.1
| timechart span=15m avg(duration) AS AvgDuration by sourceip, _time, app
| eval outlier=if(duration>AvgDuration*3,1,0)
| table _time sourceip app AvgDuration outlier

This is just a test query I am trying, with plans to build on it. I think there something wrong in how I am calling the table. What am I doing wrong in the 2 queries?

Labels (3)
Tags (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @Hisae 

You're on the right track but after transforming the output into a table (with the stats command) you lose the duration field, so you need to output that as a column (field) too.  Something like this...

 

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats
    avg(duration) AS AvgTotal
    max(duration) AS MaxDuration
    perc95(duration) AS perc95Duration
  BY _time sourceip app
| eval outlier=if(MaxDuration > (AvgTotal*3), "yes", "no")
| table _time sourceip app AvgTotal perc95Duration MaxDuration outlier

 

 
Hope it helps. 

View solution in original post

0 Karma

yeahnah
Motivator

Hi @Hisae 

You're on the right track but after transforming the output into a table (with the stats command) you lose the duration field, so you need to output that as a column (field) too.  Something like this...

 

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats
    avg(duration) AS AvgTotal
    max(duration) AS MaxDuration
    perc95(duration) AS perc95Duration
  BY _time sourceip app
| eval outlier=if(MaxDuration > (AvgTotal*3), "yes", "no")
| table _time sourceip app AvgTotal perc95Duration MaxDuration outlier

 

 
Hope it helps. 

0 Karma

Hisae
Engager

Thank you! It didn't work as a copy paste but I made a few changes to make it work. This is what worked:

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats avg(duration) AS AvgTotal max(duration) AS MaxDuration by sourceip app
| eval outlier=if(MaxDuration>(AvgTotal*3), "yes", "no")
| table _time sourceip AvgTotal MaxDuration app outlier

I will try to make the 95th percentile work, it adds good context.
Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...