Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

easy way to determine cause for increase in traffic

dtakacssplunk
Explorer
‎10-19-2020 01:15 PM

suppose my logs have fields A=a1..aN, B=b1..bN, C=c1..cN
and I see an increase in number of requests, i.e
index=* | bucket _time span=1h | stats count by _time
Is there a special query that I can execute which allows me to easily figure out which dimension / value is contributing to the increase most?
e.g. the outcome would be
A=a423 has increased the traffic the most

Labels (1)
Labels
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-19-2020 04:29 PM

This is a bit fiddly as normally you could use top to find the most common field. One question, do you want to have your top field shown by 1 hour time as in your example.

Anyway, you can try this

index=*
| bucket _time span=1h
| eventstats count as topA by A _time
| eventstats count as topB by B _time
| eventstats count as topC by C _time
| eventstats max(topA) as maxA by _time
| eventstats max(topB) as maxB by _time
| eventstats max(topC) as maxC by _time
| where topA=maxA OR topB=maxB OR topC=maxC
| stats values(eval(if(topA=maxA,A,null()))) as A 
        values(eval(if(topB=maxB,B,null()))) as B 
        values(eval(if(topC=maxC,C,null()))) as C
        max(max*) as max* by _time
| table _time A maxA B maxB C maxC

It's heavy on using eventstats, which is not very efficient, but is calculating counts of each of the fields then looking for the max of those fields and then filtering only the ones that are max for each of the fields.

The final stats is then working out the values of each field (there could be more than one value with the same count)

This will give you the max of each field in the given time period

Hope this is useful

I may have over complicated it, but I can't think of a simple solution at the moment, others may chime in.

 

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...