How do I compare count over two time periods?

daniel333 · ‎03-07-2017

All,

Thought there was a one stop shop command for this, but I can't find it. Basically I just want an alert when I see a drop in count of events. Say I have 1stddev of change in 15 minutes?

index=* app=clamav | stats count

DalJeanis · ‎03-08-2017

The exact code depends entirely on what you mean by -1 std dev of change in 15 minutes. Here are a couple of examples.

This will look across the last 2 hours and find any minute where the average count for the prior 15 minutes is 1 s.d. below the average across the prior 2 hours.

earliest=-2h index=* app=clamav 
| bin _time span=1m 
| stats count as mycount by _time 
| streamstats avg(mycount) as avgcount15, stdev(mycount) as stdevcount15 time_window=15m
| streamstats avg(mycount) as avgcount120, stdev(mycount) as stdevcount120 time_window=2h
| where avgcount15 < avgcount120 - stdevcount120

This code will find any 15-minute period (2:00-2:15, 2:15-2:30, etc) where the average for the period is 1 s.d. below the average across the prior 2 hours.

earliest=-2h index=* app=clamav 
| bin _time span=1m 
| stats count as mycount by _time 
| eventstats avg(mycount) as avgcount120, stdev(mycount) as stdevcount120
| bin _time span=15m
| stats avg(mycount) as mycount15, first(avgcount120) as avgcount120, first(stdevcount120) as stdevcount120 by _time
| where avgcount15 < avgcount120 - stdevcount120

How do I compare count over two time periods?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...