Splunk Search

How to find Network Traffic Outliers?

Hisae
Engager

Hello Everyone,

I am trying to find outliers in connection duration on a specific subnet but having trouble getting the outliers part to show any results. I want to get avg duration of all traffic connections from a subnet (or list of IPs) by sourceIP and application. So I am grabbing the average of connections in a 15m bin. After evaluating the outliers I want to display the time bin, sourceIP, application, AvgDuration and Outlier

I have tried following 2 queries till now and neither gives results when I try to get the results:

1.
index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats avg(duration) AS AvgTotal by sourceip, _time, app
| eval outlier=if(duration>AvgTotal*3,1,0)
| table _time sourceip app AvgDuration outlier

2.
index=firewall sourceip=10.1.11.1
| timechart span=15m avg(duration) AS AvgDuration by sourceip, _time, app
| eval outlier=if(duration>AvgDuration*3,1,0)
| table _time sourceip app AvgDuration outlier

This is just a test query I am trying, with plans to build on it. I think there something wrong in how I am calling the table. What am I doing wrong in the 2 queries?

Labels (3)
Tags (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @Hisae 

You're on the right track but after transforming the output into a table (with the stats command) you lose the duration field, so you need to output that as a column (field) too.  Something like this...

 

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats
    avg(duration) AS AvgTotal
    max(duration) AS MaxDuration
    perc95(duration) AS perc95Duration
  BY _time sourceip app
| eval outlier=if(MaxDuration > (AvgTotal*3), "yes", "no")
| table _time sourceip app AvgTotal perc95Duration MaxDuration outlier

 

 
Hope it helps. 

View solution in original post

0 Karma

yeahnah
Motivator

Hi @Hisae 

You're on the right track but after transforming the output into a table (with the stats command) you lose the duration field, so you need to output that as a column (field) too.  Something like this...

 

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats
    avg(duration) AS AvgTotal
    max(duration) AS MaxDuration
    perc95(duration) AS perc95Duration
  BY _time sourceip app
| eval outlier=if(MaxDuration > (AvgTotal*3), "yes", "no")
| table _time sourceip app AvgTotal perc95Duration MaxDuration outlier

 

 
Hope it helps. 

0 Karma

Hisae
Engager

Thank you! It didn't work as a copy paste but I made a few changes to make it work. This is what worked:

index=firewall sourceip=10.0.0.1/24
| bin span=15m _time
| stats avg(duration) AS AvgTotal max(duration) AS MaxDuration by sourceip app
| eval outlier=if(MaxDuration>(AvgTotal*3), "yes", "no")
| table _time sourceip AvgTotal MaxDuration app outlier

I will try to make the 95th percentile work, it adds good context.
Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...