Predict Command: Endpoint Communicating with Exce...

Splunk Search

Hi team,

I hope that we are all well?

I'm looking to develop a use case designed to identify where an endpoint has seen a spike in outbound communications.

I've been trying to use the predict command - this is great for determining spikes in network traffic in general, but I can't seem to tighten it to look at endpoints on a host-by-host basis.

I'd love for some logic that would identify the endpoint responsible for the spike in network traffic, rather than just a "oh, there's been a spike in network traffic, but who knows which endpoint was responsible".

My logic for determining spikes is as below:

| tstats summariesonly=f prestats=t count FROM datamodel=Network_Traffic where nodename=All_Traffic earliest=-25h latest=-1h by _time span=5m
| timechart span=5m count as Network_Traffic
| predict Network_Traffic as Predicted_Traffic
| rename upper95(Predicted_Traffic) as Ceiling

Any assistance would be greatly appreciated 🙂

Kind regards,
Mike

Get Updates on the Splunk Community!

Predict Command: Endpoint Communicating with Excessive Hosts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation