- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Setting the threshold for the detect large outboun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting the threshold for the detect large outbound ICMP Packets correlation
Hi,
Could someone assist me in setting the threshold for this correlation search in ES? It's generating an excessive number of notables over the last 7 days, roughly around 30k. How can we reduce the number of notables? Additionally, I've provided the bytes_out data for the last 24 hrs. Please set the threshold based on that data.
| tstats `summariesonly` count
values(sourcetype) AS sourcetype,
values(All_Traffic.src_zone) AS src_zone,
earliest(_time) as earliest,
latest(_time) as latest,
values(All_Traffic.action) AS action.
values(All_Traffic.bytes_out) AS bytes_out,
values(All_Traffic.bytes_in) AS bytes_in,
sum(All_Traffic.bytes) AS bytes,
values(All_Traffic.direction) AS direction,
values(All_Traffic.app) AS app,
from datamodel=Network_Traffic
("bytes_out"
163
594
594
594
594
294
686
215
392
392
98
954
215
86
424
900
530
594
594
117
294
882
148
258
320
594
516
142
215
159
215
86
98
98
369
401
159
215
215
594
212
215
220
585
203
594
680
212
159
159
159
159
159
718
159
159
159
159
594
221
146
318
318
159
159
318
318
318
318
159
159
159
159
159
159
636
318
159
159
159
159
159
159
159
159
159
159
159
159
159
159
318
159
318
318
318
318
326
159
159
753
159
326
657
912
159
318
159
159
159
159
159
318
148
148
814
594
320
159
159
159
159
159
159
159
159
159
318
318
159
795
318
318
159
159
565
870
159
321
912
318
318
508
159
159
567
487
159
836
507
159
159
318
477
318
318
159
159
318
318
318
477
246
155
594
594
594
594
594
594
99
159
159
222
241
159
438
565
400
159
159
159
318
795
148
119
667
159
479
486
477
477
406
828
477
222
222
148
753
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
594
784
323
594
318
159
388
318
318
711
318
388
159
159
159
159
350
350
318
318
560
318
318
719
318
646
620
159
801
159
620
159
779
318
912
318
318
318
318
318
318
323
641
810
318
318
318
323
620
318
620
318
870
159
159
159
620
461
318
318
779
318
870
159
870
323
388
318
318
870
318
350
832
318
159
318
318
810
318
159
318
318
318
318
318
733
318
323
323
323
651
159
159
318
318
318
318
318
318
159
159
159
159
159
159
159
159
159
159
159
159
318
318
318
318
159
159
159
159
159
159
159
159
318
159
159
159
159
159
159
159
318
159
319
318
318
665
935
356
574
197
197
201
159
477
477
963
477
486
159
318
159
594
155
824
400
350
318
477
222
159
222
296
518
666
318
477
171
318
318
159
159
159
159
155
318
318
318
318
477
159
159
159
159
318
318
159
318
159
159
318
722
318
318
439
549
328
477
159
318
964
603
318
318
159
159
196
370
148
753
159
159
569
159
765
477
594
370
370
318
318
636
318
466
587
428
444
159
148
148
159
159
159
159
159
159
159
159
159
159
159
159
159
753
594
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
159
477
159
758
326
979
159
159
318
318
318
318
318
594
318
318
159
318
159
318
159
159
159
159
159
159
159
159
318
318
318
318
159
159
636
159
159
679
159
753
667
318
318
318
159
159
159
159
753
331
331
318
159
649
159
353
353
159
159
512
159
326
955
159
753
159
326
326
159
159
912
753
159
159
594
325
325
318
318
912
159
318
159
318
326
159
159
753
159
326
924
318
943
159
665
159
594
594
400
159
159
159
159
159
159
159
159
159
159
159
159
159
159
908
222
439
525
318
159
603
159
159
148
222
318
318
728
318
318
159
159
159
159
155
155)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you provided bytes_out data I presume that is the value you want to use for a threshold. Create a threshold by using the where command in the CS.
| tstats `summariesonly` count
values(sourcetype) AS sourcetype,
values(All_Traffic.src_zone) AS src_zone,
earliest(_time) as earliest,
latest(_time) as latest,
values(All_Traffic.action) AS action.
values(All_Traffic.bytes_out) AS bytes_out,
values(All_Traffic.bytes_in) AS bytes_in,
sum(All_Traffic.bytes) AS bytes,
values(All_Traffic.direction) AS direction,
values(All_Traffic.app) AS app,
from datamodel=Network_Traffic
| where bytes_out > 159Adjust the "159" as necessary to get the expected number of notables.
If this reply helps you, Karma would be appreciated.
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
