The query is something like this: The query uses CoreLight data and excludes local and well known sources. | timechart count as s  span=5ds | fillnull value = 0 | eval time_interval = 0.5 | eval sequence_number = 1 | streamstats current=f sum(sequence_number) as seq | streamstats sum(time_interval) as time | eval time = time - time_interval | head=4096 | table time, s | fit FFT s from time Still working with it ....  Do you have any suggestions, improvements?   ... View more

So here's a sample dashboard. ... View more

So here's a scatter chart plotting the resultant magnitude.  I find a scatter chart a little easier to see the dominant frequencies (those that show stacked columns).  Clearly there is a strong beacon at 1 Hz and even stronger one at 1/2 Hz (every 2 sec).   There are probably others to inspect.  The data was generated looking at DNS traffic from Corelight data.  The data could have come from Splunk Stream just as easily, but we already have a Corelight infrastructure.  The query excludes internal DNS traffic and includes only A, AAAA, TXT DNS records.  Of course there's a lot of other factors such as  DNS caching and rotating ads to consider.  Now on to some addition hunting to find and exclude benign sources and hopefully find nothing!   As an aside, if anyone wants to see an fun use of the Fourier series, lookup "Fourier" and "Homer Simpson" on YouTube and see how Fourier series can draw Homer.   ... View more

Drop the mic and let me buy you a drink at the next .CONF!   ... View more

Thanks for the reply.  I got the splunk_stream_app_location correct (just to be clear for others, the 8000 is the default port used by Splunk web.  If one changes the web port, the app location should match -- port 8443 for me). My concern with opening up port 8443 in the DMZ, is well, it's the DMZ and not fully trusted.  Do you have any references for the manual option.  Thought I'd just give that a try even if I miss the monitoring or would it show up in my internal Stream app? ... View more

Is there a reason you don't just send to different IP ports? [//tcp:10514] connection_host = IP sourcetype = bluecoat:proxysg:access:file index = web #assumes Palo Alto firewall [//tcp:10515] connection_host = IP sourcetype = pan:traffic index = firewall ... View more

in the previous solution post I made reference to the image being sizable.  the answer that I arrived at was to save the image as an SVG file and use the SVG visualization addon.  I used MS Visio and was able to select a Visio element and add an http reference to the element.  Another gotcha that when you save as an scalable vector graphic from Visio you must deselect the "Include Visio data in files".  The other thing I did was to put the SVG file in a saved macro and used it to pass the SVG code visualization. ... View more