Splunk Search

Get average connections for the past few days, compare to current connections

aking76
Path Finder

I have the following search, I'm trying to get it to show the src, dst, current amount of connections, and then an average of how many times the src connects to the dst.

Something doesn't seem right with the code I have, I think something is wrong with the avg function I have in there.

I would like it to go back a few days and give me the average amount of connections based on those results and then show me what's currently happening.

For instance:

src       dst       Current    AVG
0.0.0.0   0.0.0.1   4450       300

This is not right:

index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed 
|eventstats count by dest_ip | rename count as "Current Connections"
|bucket span=15m _time
|eventstats count by src_ip | rename count as "Average Connections"
|table  src_ip, dest_ip,"Current Connections", "Average Connections"
Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed 
| bin _time span=15m
| stats count BY src_ip dest_ip _time
| stats first(count) AS "Current Connections" avg(count) AS "Average Connections" BY src_ip dest_ip

View solution in original post

woodcock
Esteemed Legend

Try this:

index=net_index* (src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) dest_port=* action=allowed 
| bin _time span=15m
| stats count BY src_ip dest_ip _time
| stats first(count) AS "Current Connections" avg(count) AS "Average Connections" BY src_ip dest_ip

aking76
Path Finder

Looks like it works. Thank ya much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...