Splunk Search

Predict Command: Endpoint Communicating with Excessive Hosts

MikeElliott
Communicator

Hi team,

I hope that we are all well?

I'm looking to develop a use case designed to identify where an endpoint has seen a spike in outbound communications.

I've been trying to use the predict command - this is great for determining spikes in network traffic in general, but I can't seem to tighten it to look at endpoints on a host-by-host basis.

I'd love for some logic that would identify the endpoint responsible for the spike in network traffic, rather than just a "oh, there's been a spike in network traffic, but who knows which endpoint was responsible".

My logic for determining spikes is as below:

| tstats summariesonly=f prestats=t count FROM datamodel=Network_Traffic where nodename=All_Traffic earliest=-25h latest=-1h by _time span=5m
| timechart span=5m count as Network_Traffic
| predict Network_Traffic as Predicted_Traffic
| rename upper95(Predicted_Traffic) as Ceiling

Any assistance would be greatly appreciated 🙂

Kind regards,
Mike

Tags (2)
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...