I have the following which provides me the total number of events for each minute and the predicted value as well as the residual for that time.
I want to break this up by Country, so for each client ip, do the same but separate them by each country.
Any idea how to start?
index=* sourcetype ="access_combined" clientip=*
| bin _time span=1m
| stats count AS perMin by _time
| timechart span=1m sum(perMin) AS Total
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
Can you try this,
index=* sourcetype ="access_combined" clientip=*
| iplocation clientip
| bin _time span=1m
| stats count AS perMin by _time Country
| stats sum(perMin) AS Total by _time Country
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
Can you try this,
index=* sourcetype ="access_combined" clientip=*
| iplocation clientip
| bin _time span=1m
| stats count AS perMin by _time Country
| stats sum(perMin) AS Total by _time Country
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
This is exactly what I was looking for, thank you!
I was trying to use Timechart because I thought to use the Predict command, it had to be preceded by the Timechart command, in this case, stats worked just fine
You need to iplocation command for populating country name based on clientip ....
Please modify your query as below
|makeresults |eval clientip = "136.168.3.2,119.56.76.89"|eval clientip = split(clientip , ",") |mvexpand clientip |iplocation clientip|bin _time span=1m |stats count as count1m by _time Country |eventstats sum(count1m) as total by _time
Happy Splunking !!
not sure if that works? is there something wrong with my query ?
index=* sourcetype ="access_combined" clientip=*
|makeresults
|eval clientip = "136.168.3.2,119.56.76.89"
|eval clientip = split(clientip , ",")
|mvexpand clientip
|iplocation clientip
|bin _time span=1m
|stats count as count1m by _time Country
|eventstats sum(count1m) as total by _time
Corrected query
index=* sourcetype ="access_combined" clientip=*
|iplocation clientip
|bin _time span=1m
|stats count as count1m by _time Country
|eventstats sum(count1m) as total by _time