I got a use case I seem to be too inexperienced with to complete on my own. Since I just started delving into splunk I still lack alot knowledge, so I would be glad for your advice.
- Count all DNS queries of a source IP in 8 hour slices per day (to make it easier to explain: timeslot t1=0-8, t2=8-16, t3=16-24)
- Calculate the average of each timeslot the last 7 days ( average of t1 on monday - sunday, average of t2 on mo-su etc.)
I already tried:
- Trying to eval the timespan in 8 hour slots and then do a count
| eval t1 = relative_time(now(), "-8h")
| eval t2 = relative_time(t1, "-8h")
| eval t3 = relative_time(t2, "-8h")
| stats count(query) by src, t1, t2, t3
I always get the same result, nevermind which t variable I select. When I display the t field values I get epoch time stamps, so seems it's not really a timespan
Tried the timechart command, which works fine to some point but since I don't have values to compare I just get the same results for count and average
index=dns earliest=-24h@h latest=@h
| timechart count(query) as average count span="8h" by src limit=10
Is it even possible to do what I want?
Thanks alot for your ideas,
... View more
I have a question concerning a CSV lookup table with domains in it, which sadly does not work.
To be more precise:
I got a lookup table I created with the Lookup editor with the following example entry and a single column called URL:
A simple | inputlookup file.csv will display that value correctly. If I try to use this list in a search though, it just ignores it.
Here is my example search:
[ | inputlookup file.csv
| fields url ]
Is there any restriction in how an entry must be formatted to be accepted? *.trendmicro.com or trendmicro.com won't work either.
I just don't get what I am doing wrong since the contents of the file can be displayed.
Thanks alot! Help is much appreciated.
... View more