Monitoring 15% drop in logins with delta

hornettj · ‎02-14-2016

Hi bit of background, I am trying to monitor a 15% drop in logins using the delta command at the moment over Last 15mins

I am using the below search as my test:
index=*_XXXX_app AND (/security/session) | eval call=case(uri like "/security/session%","Login") | timechart count span=5m | delta count as difference | eval percdif=round(abs(difference/count)*100,0)

My Final Search which I will use to create an alert is:
index=*_XXXX_app AND (/security/session) | eval call=case(uri like "/security/session%","Login") | timechart count span=5m | delta count as difference | eval percdif=round(abs(difference/count)*100,0) | where percdif>=15 AND difference<0 | eval mesg="Suspected Service Impact 15 Percent drop in Traffic" | table _time mesg

The problem I have is it keeps triggering against the last minute

example if I run it I get

_time count difference percdif
2016-02-14 08:45:00 258

2016-02-14 08:50:00 377 119 32
2016-02-14 08:55:00 358 -19 5
2016-02-14 09:00:00 15 -343 2287

It does not like the first and last minute of data, do I need to find away to get it to ignore the last minute?

renjith_nair · ‎02-14-2016

Try the option partial=false in timechart to exclude the partial buckets(beginning and end)

---
What goes around comes around. If it helps, hit it with Karma 🙂

hornettj · ‎02-14-2016

Unfortunately that still did not work

I think I found a work around by using a relative searc
Relative:
Earliest = 12min “Beginning of minute”
Latest = “Beginning of current minute”

So far its behaving

Monitoring 15% drop in logins with delta

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk