I'm trying to turn Splunk into my own custom IDS based on the data dumping in from Palo Alto. Right now I have a search that throws back a timechart of the top internal IPs...
sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f
That works fantastically. Shows me the top 10 IPs throwing high or critical threat traffic. However, I want to correlate a baseline into it using the trendline command. However, I can't figure out how / where to throw the trendline command to get the desired effect of the trendline overlaying the existing chart. I also don't know how to throw the "period" field, as I don't know what the integer represents. (Seconds? Minutes? Something completely different that won't automatically correlate with time? Can I just throw a command in there for it to find the search window and automatically use that?) However, even when using the following code, it doesn't change my chart at all (threw 5 in there for testing purposes).
sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f | trendline sma5(count)
Anyone familiar with this usage that can give me a little advice? I'm far from a RegEx Guru, but if building this IDS myself without XML Edit access has taught me anything, it's the inner workings of RegEx.
-Travis
