Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

easy way to determine cause for increase in traffic

dtakacssplunk
Explorer
‎10-19-2020 01:15 PM

suppose my logs have fields A=a1..aN, B=b1..bN, C=c1..cN
and I see an increase in number of requests, i.e
index=* | bucket _time span=1h | stats count by _time
Is there a special query that I can execute which allows me to easily figure out which dimension / value is contributing to the increase most?
e.g. the outcome would be
A=a423 has increased the traffic the most

Labels (1)
Labels
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-19-2020 04:29 PM

This is a bit fiddly as normally you could use top to find the most common field. One question, do you want to have your top field shown by 1 hour time as in your example.

Anyway, you can try this

index=*
| bucket _time span=1h
| eventstats count as topA by A _time
| eventstats count as topB by B _time
| eventstats count as topC by C _time
| eventstats max(topA) as maxA by _time
| eventstats max(topB) as maxB by _time
| eventstats max(topC) as maxC by _time
| where topA=maxA OR topB=maxB OR topC=maxC
| stats values(eval(if(topA=maxA,A,null()))) as A 
        values(eval(if(topB=maxB,B,null()))) as B 
        values(eval(if(topC=maxC,C,null()))) as C
        max(max*) as max* by _time
| table _time A maxA B maxB C maxC

It's heavy on using eventstats, which is not very efficient, but is calculating counts of each of the fields then looking for the max of those fields and then filtering only the ones that are max for each of the fields.

The final stats is then working out the values of each field (there could be more than one value with the same count)

This will give you the max of each field in the given time period

Hope this is useful

I may have over complicated it, but I can't think of a simple solution at the moment, others may chime in.

 

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...