I have the following search, I'm trying to get it to show the src
, dst
, current
amount of connections, and then an average
of how many times the src
connects to the dst
.
Something doesn't seem right with the code I have, I think something is wrong with the avg
function I have in there.
I would like it to go back a few days and give me the average amount of connections based on those results and then show me what's currently happening.
For instance:
src dst Current AVG
0.0.0.0 0.0.0.1 4450 300
This is not right:
index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed
|eventstats count by dest_ip | rename count as "Current Connections"
|bucket span=15m _time
|eventstats count by src_ip | rename count as "Average Connections"
|table src_ip, dest_ip,"Current Connections", "Average Connections"
Try this:
index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed
| bin _time span=15m
| stats count BY src_ip dest_ip _time
| stats first(count) AS "Current Connections" avg(count) AS "Average Connections" BY src_ip dest_ip
Try this:
index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed
| bin _time span=15m
| stats count BY src_ip dest_ip _time
| stats first(count) AS "Current Connections" avg(count) AS "Average Connections" BY src_ip dest_ip
Looks like it works. Thank ya much!