cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
M_fahad_hassan
Engager
Member since: ‎11-04-2020
‎11-04-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-04-2020
Activity Feed
View All

Re: What does  "bin _time span=100ms, eval H=len(_...

by in Splunk Search
‎11-04-2020 12:22 PM
‎11-04-2020 12:22 PM
Thank you for your response.  what that time interval is doing i don't understand. Is it take 1 minute time difference from the times field and aggregate features on that basis like finding the mean of an packet size with a 1 minute time difference of values?  what is count doing there then? Still have question about An approximated covariance between two streams?   ... View more

What does  "bin _time span=100ms, eval H=len(_raw)...

by in Splunk Search
‎11-04-2020 08:59 AM
‎11-04-2020 08:59 AM
Hi,  I am having confusion in understanding some portion of following search. Can anyone help me in understanding it please.      index=main | where cidrmatch("192.168.10.1285", src_ip) AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | bin _time span=1m | eval H=len(_raw) | stats count as W(H) mean(H) stdev(H) BY _time src_ip | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip) AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | transaction src_ip dst_ip maxevents=2 | bin _time span=1m | eval HH_jit=len(_raw) | stats count as W(HH_jit) mean(HH_jit) stdev(HH_jit) BY _time src_ip dst_ip] | join src_ip [search index=main | where cidrmatch("192.168.10.1285", src_ip) AND dst_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", dst_ip) AND src_ip="192.168.10.61" OR cidrmatch("192.168.10.1285", src_ip) AND cidrmatch("192.168.10.1285", dst_ip) | bin _time span=1m | eval HpHp=len(_raw) | stats count as W(HpHp) mean(HpHp) stdev(HpHp) BY _time src_ip src_port dst_ip dst_port] | table _time W(H) mean(H) stdev(H) W(HH_jit) mean(HH_jit) stdev(HH_jit) W(HpHp) mean(HpHp) stdev(HpHp) magnitude(HpHp) radius(HpHp) covariance(HpHp) correlation(HpHp)      It is used for the extraction of statistical features on the base of time frame like 35ms, 100ms, 1m. I am not understanding what it actually mean by time frame in it. what is the mean of "bin _time span", "eval H=len(_raw)" , "transaction" , "maxevents =2" means ? what is count doing here ?  covariance: An approximated covariance between two streams. what is mean between two streams here?  Here is some information use for aggregating the features   H=packet size transfer in a unidirectional  (host to all) HH_jit = difference in time between transaction with the same IP values(host to host) HpHp= packet transfer from host to host taking ports (host: port to host: port)  I have read from splunk search reference page about these different terms but not getting a clear picture about this particular case.  I need urgent help, i would appreciate a reply as soon as possible.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-04-2020 04:31 PM
Karma given to
View All