Hi @rosho ! I am Young Cho, author of "Getting Started with Splunk Security" app. Saw this question and also saw @woodcock 's good answer. This is to show you the approach (Technique) to engineer features from security activities for either machine learning and applying statistics. So, the real application should really consider the right threshold or it also can be a machine learning, to point out anomalies based on the type of traffic in the network.
Also, streamstats should do "| streamstats avg(gap) by src dest" where I feel that it should be by "src dest" instead of just "dest". Let me know what you think and love to know if some of these techniques work for your environment.
... View more