Usecase is to find the threshold for the maximum attackers_score of the domain group and it's attackerip count for the maximum attacker_score from a single ip. Do you mean that the threshold cal...
See more...
Usecase is to find the threshold for the maximum attackers_score of the domain group and it's attackerip count for the maximum attacker_score from a single ip. Do you mean that the threshold calculation is not to be used in the alert. And that you want to select every IP with the highest count in the group and send as alert. Now, back to the discussion about min and max. Assuming you still want a different formula when range is too small as I speculated, you can do index=ss group="Threat Intelligence"
``` here I'm grouping the domain names in to single group by there naming convention```
| eval domain_group=case(
like(domain_name, "%cisco%"), "cisco",
like(domain_name, "%wipro%"), "wipro",
like(domain_name, "%IBM%"), "IBM",
true(), "other"
)
| stats count as hits, min(attacker_score) as min_score, max(attacker_score) as max_score by domain_group, attackerip
| sort -hits
| eval range = max_score - min_score
| eval threshold =round(if(range > min_score / 10), min_score + (2 * (range/3)), max_score * 4 / 5), 0)
| eventstats max(hits) as max_hits by domain_group ``` eventstats instead of streamstats ```
| where hits == max_hits
| table domain_group, min_score, max_score, attackerip, hits, threshold If this does not give you the desired output, you will need to illustrate the input, actual output, (anonymize as needed) desired output, and explain the logic between input and desired output without using SPL.