I am trying to summarize network traffic to or from an IP address. I would like to look for daily patterns and thought that a sparkline would help to call those out. I cannot figure out how to make a sparkline for each day.
What I have so far:
traffic counts to an IP address by the minute:
| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.dest_ip=134.170.30.203
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
Which I can summarize over each day with
| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.dest_ip=134.170.30.203
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
|timechart sum(count) as Count min(_time) as First max(_time) as Last span=1d
| eval First=strftime(First,"%m/%d/%y %H:%M") | eval Last=strftime(Last,"%m/%d/%y %H:%M")
The initial span of a minute is just there so that I can get 1 minute resolution to the first and last times of each day. I actually use an intermediate time chart so that I can save daily fist and last times
| tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.dest_ip=134.170.30.203
BY _time, All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port span=1m
| timechart sum(count) as minCount earliest(_time) as minFirst latest(_time) as minLast span=1m
| timechart sum(minCount) as Count min(minFirst) as First max(minLast) as Last span=1d
| eval First=strftime(First,"%m/%d/%y %H:%M") | eval Last=strftime(Last,"%m/%d/%y %H:%M")
So the above gives me a record for each day with the date, number of network events, first network event, and last network event, looking something like:
_time..............Count.....First........................Last
2016-12-25....30...........12/25/16 04:25.....12/25/16 23:24
2016-12-26....42...........12/26/16 02:18.....12/26/16 09:14
2016-12-27....430.........12/27/16 03:51.....12/27/16 20:13
2016-12-28....48...........12/28/16 03:51.....12/28/16 10:20
2016-12-29....48...........12/29/16 05:27.....12/29/16 08:23
I would like to add a sparkline indicating how the network events were distributed across the day each day. Can someone help me figure out how to do this?
... View more