Splunk Search

Predict Command: Endpoint Communicating with Excessive Hosts

MikeElliott
Communicator

Hi team,

I hope that we are all well?

I'm looking to develop a use case designed to identify where an endpoint has seen a spike in outbound communications.

I've been trying to use the predict command - this is great for determining spikes in network traffic in general, but I can't seem to tighten it to look at endpoints on a host-by-host basis.

I'd love for some logic that would identify the endpoint responsible for the spike in network traffic, rather than just a "oh, there's been a spike in network traffic, but who knows which endpoint was responsible".

My logic for determining spikes is as below:

| tstats summariesonly=f prestats=t count FROM datamodel=Network_Traffic where nodename=All_Traffic earliest=-25h latest=-1h by _time span=5m
| timechart span=5m count as Network_Traffic
| predict Network_Traffic as Predicted_Traffic
| rename upper95(Predicted_Traffic) as Ceiling

Any assistance would be greatly appreciated 🙂

Kind regards,
Mike

Tags (2)
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...