Splunk Search

Predict Command: Endpoint Communicating with Excessive Hosts

MikeElliott
Communicator

Hi team,

I hope that we are all well?

I'm looking to develop a use case designed to identify where an endpoint has seen a spike in outbound communications.

I've been trying to use the predict command - this is great for determining spikes in network traffic in general, but I can't seem to tighten it to look at endpoints on a host-by-host basis.

I'd love for some logic that would identify the endpoint responsible for the spike in network traffic, rather than just a "oh, there's been a spike in network traffic, but who knows which endpoint was responsible".

My logic for determining spikes is as below:

| tstats summariesonly=f prestats=t count FROM datamodel=Network_Traffic where nodename=All_Traffic earliest=-25h latest=-1h by _time span=5m
| timechart span=5m count as Network_Traffic
| predict Network_Traffic as Predicted_Traffic
| rename upper95(Predicted_Traffic) as Ceiling

Any assistance would be greatly appreciated 🙂

Kind regards,
Mike

Tags (2)
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...