Splunk Search

What does  "bin _time span=100ms, eval H=len(_raw),transaction and maxevents" mean in this whole search?

M_fahad_hassan
Engager

Hi, 

I am having confusion in understanding some portion of following search. Can anyone help me in understanding it please.   

 

index=main | where cidrmatch("192.168.10.1285", src_ip)  AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip)  | bin _time span=1m | eval H=len(_raw) | stats count as W(H) mean(H) stdev(H) BY _time src_ip | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip)  AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | transaction src_ip dst_ip maxevents=2 | bin _time span=1m | eval HH_jit=len(_raw)  | stats count as W(HH_jit) mean(HH_jit) stdev(HH_jit) BY _time src_ip dst_ip] | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip)  AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip)  | bin _time span=1m | eval HpHp=len(_raw) | stats count as W(HpHp) mean(HpHp) stdev(HpHp) BY _time src_ip src_port dst_ip dst_port] | table _time W(H) mean(H) stdev(H)  W(HH_jit) mean(HH_jit) stdev(HH_jit) W(HpHp) mean(HpHp) stdev(HpHp) magnitude(HpHp) radius(HpHp) covariance(HpHp) correlation(HpHp)

 

 

 It is used for the extraction of statistical features on the base of time frame like 35ms, 100ms, 1m. I am not understanding what it actually mean by time frame in it. what is the mean of "bin _time span", "eval H=len(_raw)" , "transaction" , "maxevents =2" means ? what is count doing here ? 

covariance: An approximated covariance between two streams. what is mean between two streams here? 

Here is some information use for aggregating the features  

H=packet size transfer in a unidirectional  (host to all)

HH_jit = difference in time between transaction with the same IP values(host to host)

HpHp= packet transfer from host to host taking ports (host: port to host: port)

 I have read from splunk search reference page about these different terms but not getting a clear picture about this particular case. 

I need urgent help, i would appreciate a reply as soon as possible.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The bin command puts events into groups ("bins") based on the field name supplied.  Bin sizes are specified by the span option, in this case.  In this query, the command is grouping timestamps (_time) into 1-minute intervals.

eval H=len(_raw) is finding the number of characters in the _raw field and storing that value in the field called "H".

The transaction command groups multiple events with the same values for the specified fields into a single event.  The maxevents=2 option says each grouping must contain no more than 2 events.

RTFM: https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Bin

---
If this reply helps you, Karma would be appreciated.

M_fahad_hassan
Engager

Thank you for your response. 

what that time interval is doing i don't understand. Is it take 1 minute time difference from the times field and aggregate features on that basis like finding the mean of an packet size with a 1 minute time difference of values? 

what is count doing there then? Still have question about An approximated covariance between two streams?

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...