I would like to be able to compare current levels of activity against that occurring in previous periods.
So, for example, compare the transaction counts "right now" against the same day-of-week and hour-of-day for the preceding week(s).
Hi raoul
if you have the *nix app active for example, you could fire this search and it will give you a list of TCPSessions per hostname:port compared to each other over the last 48h:
source=netstat earliest=-48h@h | multikv | search State=Established | rename LocalAddress AS Host&Port | chart count AS TCPSession by Host&Port | sort limit=10 - TCPSession | streamstats count AS RankA | append [ search source=netstat earliest=-2h@h | multikv | search State=Established | rename LocalAddress AS Host&Port | chart count AS TCPSession by Host&Port | sort limit=10 - TCPSession | streamstats count AS RankB ] | stats first(RankA) AS RankM first(RankB) AS RankD by Host&Port | eval Moved = RankM - RankD | fields Host&Port RankM RankD Moved
this should help you to figure out how it can be done 😉
Hi raoul
if you have the *nix app active for example, you could fire this search and it will give you a list of TCPSessions per hostname:port compared to each other over the last 48h:
source=netstat earliest=-48h@h | multikv | search State=Established | rename LocalAddress AS Host&Port | chart count AS TCPSession by Host&Port | sort limit=10 - TCPSession | streamstats count AS RankA | append [ search source=netstat earliest=-2h@h | multikv | search State=Established | rename LocalAddress AS Host&Port | chart count AS TCPSession by Host&Port | sort limit=10 - TCPSession | streamstats count AS RankB ] | stats first(RankA) AS RankM first(RankB) AS RankD by Host&Port | eval Moved = RankM - RankD | fields Host&Port RankM RankD Moved
this should help you to figure out how it can be done 😉