Splunk Search

What does  "bin _time span=100ms, eval H=len(_raw),transaction and maxevents" mean in this whole search?

M_fahad_hassan
Engager

Hi, 

I am having confusion in understanding some portion of following search. Can anyone help me in understanding it please.   

 

index=main | where cidrmatch("192.168.10.1285", src_ip)  AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip)  | bin _time span=1m | eval H=len(_raw) | stats count as W(H) mean(H) stdev(H) BY _time src_ip | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip)  AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | transaction src_ip dst_ip maxevents=2 | bin _time span=1m | eval HH_jit=len(_raw)  | stats count as W(HH_jit) mean(HH_jit) stdev(HH_jit) BY _time src_ip dst_ip] | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip)  AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip)  | bin _time span=1m | eval HpHp=len(_raw) | stats count as W(HpHp) mean(HpHp) stdev(HpHp) BY _time src_ip src_port dst_ip dst_port] | table _time W(H) mean(H) stdev(H)  W(HH_jit) mean(HH_jit) stdev(HH_jit) W(HpHp) mean(HpHp) stdev(HpHp) magnitude(HpHp) radius(HpHp) covariance(HpHp) correlation(HpHp)

 

 

 It is used for the extraction of statistical features on the base of time frame like 35ms, 100ms, 1m. I am not understanding what it actually mean by time frame in it. what is the mean of "bin _time span", "eval H=len(_raw)" , "transaction" , "maxevents =2" means ? what is count doing here ? 

covariance: An approximated covariance between two streams. what is mean between two streams here? 

Here is some information use for aggregating the features  

H=packet size transfer in a unidirectional  (host to all)

HH_jit = difference in time between transaction with the same IP values(host to host)

HpHp= packet transfer from host to host taking ports (host: port to host: port)

 I have read from splunk search reference page about these different terms but not getting a clear picture about this particular case. 

I need urgent help, i would appreciate a reply as soon as possible.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The bin command puts events into groups ("bins") based on the field name supplied.  Bin sizes are specified by the span option, in this case.  In this query, the command is grouping timestamps (_time) into 1-minute intervals.

eval H=len(_raw) is finding the number of characters in the _raw field and storing that value in the field called "H".

The transaction command groups multiple events with the same values for the specified fields into a single event.  The maxevents=2 option says each grouping must contain no more than 2 events.

RTFM: https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Bin

---
If this reply helps you, an upvote would be appreciated.

M_fahad_hassan
Engager

Thank you for your response. 

what that time interval is doing i don't understand. Is it take 1 minute time difference from the times field and aggregate features on that basis like finding the mean of an packet size with a 1 minute time difference of values? 

what is count doing there then? Still have question about An approximated covariance between two streams?

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!