Splunk Enterprise

easy way to determine cause for increase in traffic

dtakacssplunk
Explorer

suppose my logs have fields A=a1..aN, B=b1..bN, C=c1..cN
and I see an increase in number of requests, i.e
index=* | bucket _time span=1h | stats count by _time
Is there a special query that I can execute which allows me to easily figure out which dimension / value is contributing to the increase most?
e.g. the outcome would be
A=a423 has increased the traffic the most

Labels (1)

bowesmana
SplunkTrust
SplunkTrust

This is a bit fiddly as normally you could use top to find the most common field. One question, do you want to have your top field shown by 1 hour time as in your example.

Anyway, you can try this

index=*
| bucket _time span=1h
| eventstats count as topA by A _time
| eventstats count as topB by B _time
| eventstats count as topC by C _time
| eventstats max(topA) as maxA by _time
| eventstats max(topB) as maxB by _time
| eventstats max(topC) as maxC by _time
| where topA=maxA OR topB=maxB OR topC=maxC
| stats values(eval(if(topA=maxA,A,null()))) as A 
        values(eval(if(topB=maxB,B,null()))) as B 
        values(eval(if(topC=maxC,C,null()))) as C
        max(max*) as max* by _time
| table _time A maxA B maxB C maxC

It's heavy on using eventstats, which is not very efficient, but is calculating counts of each of the fields then looking for the max of those fields and then filtering only the ones that are max for each of the fields.

The final stats is then working out the values of each field (there could be more than one value with the same count)

This will give you the max of each field in the given time period

Hope this is useful

I may have over complicated it, but I can't think of a simple solution at the moment, others may chime in.

 

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...