Re: How do you find the average count within a tim...

jwalzerpitt · ‎10-11-2018

I have the following search that shows users who are continuously being infected over a 30 day period:

index=foo
| stats count range(_time) as TimeRange by user src app app:category app:subcategory threat url
| where TimeRange>1800 
| where NOT zone="null"
| eval TimeRange_In_Hours = round(TimeRange/3600,2), TimeRange_In_Days = round(TimeRange/3600/24,2)

is it possible to show the avg count within the time range being returned per user?

Thx

FrankVl · ‎10-12-2018

What average do you want to calculate?

jwalzerpitt · ‎10-12-2018

If possible, the avg hits within the TimeRange_In_Hours

Thx

FrankVl · ‎10-12-2018

So avg number of hits per hour? If count is the total number of hits, just do | eval avg_hits = count / TimeRange_In_Hours. Or am I not understanding your objective?

jwalzerpitt · ‎10-12-2018

That was it - I was overthinking the issue when it ended being very simple

Thx!

somesoni2 · ‎10-11-2018

Can we have some sample output, with example/dummy data?

jwalzerpitt · ‎10-12-2018

Sure thing:

user src app app:category app:subcategory threat url count TimeRange TimeRange_In_Days TimeRange_In_Hours
jdoe x.x.x.x web-browsing general-internet internet-utility Virus/Win32.WGeneric.pppda(195251778) AliMiserUpdate.exe 4 2703 0.03 0.75
msmith x.x.x.x web-browsing general-internet internet-utility Virus/Win32.WGeneric.pppda(195251778) AliMiserUpdate.exe 7 7931 0.09 2.2
rjones x.x.x.x web-browsing general-internet internet-utility Generic User-Agent Traffic(10015) www.cnki.net/elearning/JournalMgr/JConfig.ini 3 23714 0.27 6.59
mhammer x.x.x.x web-browsing general-internet internet-utility Veil-Evasion Payload Detected(39480) openblas_warpper.dll 13 5853 0.07 1.63

How do you find the average count within a time range?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team