Solved: Average of web requests blocked - span of 10 minut...

rookie507SL · ‎09-06-2017

Hi mates,

I'm trying to get the most 10 IP addresses with blocked web requests during a month, but the threshold should be using the count of requests during a 10 minutes window.

This is my query so far

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter | bucket _time span=10m
| stats count by source_ip URL 
| where count > 50

If I use the query above, I will get the IP addresses and URL visited. But, if I search for a month using this query, I will get a sum of the "count" value, getting results of 7,000 for example.

I would like to get an average of the count value, and this way I can see which IP addresses are involved in this type of traffic.

I read about using avg(field), but I cannot decide where to use it. I thought about including "stats avg(count)" but I cannot get results.

Please, any idea would be appreciated.

Thanks !

woodcock · ‎09-06-2017

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50

View solution in original post

woodcock · ‎09-06-2017

Like this:

index=index-example  dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter
| bucket _time span=10m
| stats count BY source_ip URL _time
| stats avg(count) AS count BY source_ip URL
| where count > 50

rookie507SL · ‎09-13-2017

Sorry for the late response.

Really thank you for your reply, it worked.

Average of web requests blocked - span of 10 minutes

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM