Outputlookup a baseline lookup and query for anoma...

antoniolamonica · ‎06-12-2024

Say I create a query that outputs (as a csv) the last 14 days of hosts and the dest_ports the host has communicated on.

Then I would inputlookup that csv to compare the last 7 days of the same type of data.

What would be simplest spl to detect anomalies?

ITWhisperer · ‎06-12-2024

This requirement is too broad - what sort of anomalies are you trying to detect?

antoniolamonica · ‎06-12-2024

Use case would be if a host is talks to a port it doesn’t usually talk on based on the baseline. The timeframes in the question are arbitrary. Would start smart to test, and expand the timeframe for the baseline prior to fully implementing it.

ITWhisperer · ‎06-13-2024

You could lookup the host and dest_port to retrieve another value from the lookup store e.g. last time accessed (if you have saved that as well), then if no data is retrieved, the host and dest_port is unknown

Outputlookup a baseline lookup and query for anomalies based on baseline lookup?

lookup

stats

subsearch

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?