How does SPLUNK learn and correlate ?

DebbieLewis · ‎12-28-2011

I'm interested in intelligent analytics applications i.e. learning about data behaviour in order to alert on non-normal behaviours, before service outages occur. Anyone looked at this with SPLUNK or does anything with an app. ?

mayler · ‎12-28-2011

I'm not sure I can answer that question but figured I would add my 2cents. I asked the same question. I'm using splunk to monitor my networking equipment logs but I wanted to be notified when something abnormal happened. It took some experimenting but this is what I came up with.

I logged into my machine and counted the number of log entries that were created by simply logging in. It created about 10 lines (ssh, info, etc). But if I gave the equipment the wrong password a few times, it generated 20-30 lines of logs. So I created an alert that said if you see more than 15 lines in the last minute, alert me. Using that alert, I've found computer techs in other departments scanning the entire subnet with default snmp community strings!

So it's hard to create a baseline, but you can determine the average number of logs generated at any given time, and create alerts if that number exceeds the average. Hope that helps. I'm not sure what equipment you are logging.

MHibbin · ‎12-28-2011

You could also use the transaction command to some effect, by determining standard start and end points and find any events which do not fit the part.

How does SPLUNK learn and correlate ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life