About Hisae

Hisae · ‎03-21-2023

Thank you! It didn't work as a copy paste but I made a few changes to make it work. This is what worked: index=firewall sourceip=10.0.0.1/24 | bin span=15m _time | stats avg(duration) AS AvgTotal max(duration) AS MaxDuration by sourceip app | eval outlier=if(MaxDuration>(AvgTotal*3), "yes", "no") | table _time sourceip AvgTotal MaxDuration app outlier I will try to make the 95th percentile work, it adds good context. Thanks a lot!

Hisae · ‎03-20-2023

Hello Everyone, I am trying to find outliers in connection duration on a specific subnet but having trouble getting the outliers part to show any results. I want to get avg duration of all traffic connections from a subnet (or list of IPs) by sourceIP and application. So I am grabbing the average of connections in a 15m bin. After evaluating the outliers I want to display the time bin, sourceIP, application, AvgDuration and Outlier I have tried following 2 queries till now and neither gives results when I try to get the results: 1. index=firewall sourceip=10.0.0.1/24 | bin span=15m _time | stats avg(duration) AS AvgTotal by sourceip, _time, app | eval outlier=if(duration>AvgTotal*3,1,0) | table _time sourceip app AvgDuration outlier 2. index=firewall sourceip=10.1.11.1 | timechart span=15m avg(duration) AS AvgDuration by sourceip, _time, app | eval outlier=if(duration>AvgDuration*3,1,0) | table _time sourceip app AvgDuration outlier This is just a test query I am trying, with plans to build on it. I think there something wrong in how I am calling the table. What am I doing wrong in the 2 queries?

Posts	2
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎03-20-2023

Online Status	Offline
Date Last Visited	‎03-21-2023 08:25 PM

How to find Network Traffic Outliers?

Re: How to find Network Traffic Outliers?

How to find Network Traffic Outliers?