Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Predict Command - Alert when value breaches up...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I'm trying to write a search that looks at creating an alert where there is a significant spike in HTTP POST requests.
I am interested in using the predict command and alerting where the total count(http_request) (where http_request=POST) requests by source_ip breaches the predicted upper95.
In theory, it would look something like:
index=web_proxy
| search http_request=POST
| stats count(http_request) AS POST_Count by source_ip
| predict POST_Count by source_ip
| where POST_Count >= upper95
Any assistance, or pointers, would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies for the delay in responding. I was able to resolve the issue with the below logic. The index has been swapped out for a generic term, ofc 😉
index="webproxy" requestmethod=POST earliest=-65m@m latest=-5m@m
| timechart span=1m count as POST_Requests
| predict POST_Requests as Predicted_Requests
| rename upper95(Predicted_Results) as Ceiling
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies for the delay in responding. I was able to resolve the issue with the below logic. The index has been swapped out for a generic term, ofc 😉
index="webproxy" requestmethod=POST earliest=-65m@m latest=-5m@m
| timechart span=1m count as POST_Requests
| predict POST_Requests as Predicted_Requests
| rename upper95(Predicted_Results) as Ceiling
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is some really cool logic that can be adapted to detect all sorts of spikes - Recently we have deployed this for spikes in DNS traffic.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The predict command must be preceded by the timechart command. The predict command requires time series data.
For more info: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damn - I was really hoping that this wouldn't be the case...
Okay, so we can use timechart I suppose - Any suggestions on how to get the timechart to display count(http_request) as POST_Count by source_ip, or am I asking a bit much?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with predict, is that you can't use wildcard. Not very efficient way to this https://answers.splunk.com/answers/661506/predict-with-wildcard.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dauren,
Apologies for the delay in getting back. I have posted the logic I ended up going with below - Since you were definitely instrumental in getting there, if you wanna post the logic, I'd be happy to mark as an answer 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When attempting to run the above search, I get the error message External search command 'predict' returned error code 1.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
