Apologies for the delay, I would love to help!
Let's first start by identifying what we want out of the average connections field:
Are we trying to find an average amount of connections by the source ip?
Are we trying to find an average amount of connections by the destination ip?
Are we trying to find the average amount of connections by both source ip and destination ip over a certain time frame and comparing it to our current time frame? (i.e today's connections vs last weeks connections)
If it's one of the first two questions, that should be relatively simple.
For average by source ip:
index=network_index_name (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=*
| stats count by src_ip, dest_ip
| eventstats avg(count) as Average_Connections by src_ip
| table src_ip dest_ip count Average_Connections
| rename src_ip AS "Source_IP", dest_ip AS "Destination_IP", count AS "Current_Connections"
For average by destination ip:
index=network_index_name (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=*
| stats count by src_ip, dest_ip
| eventstats avg(count) as Average_Connections by dest_ip
| table src_ip dest_ip count Average_Connections
| rename src_ip AS "Source_IP", dest_ip AS "Destination_IP", count AS "Current_Connections"
If it's the third question, it might be a bit more complicated and time consuming depending on both the time range, and the unique source ip/destination ip pairs we're working with.
In any event, I hope this helps. let me know how this works for you!
... View more