- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Question about a search which displays a sudde...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question about a search which displays a sudden rise of hits
hi. We are splunking this dhcp service we have and we had a problem id like to narrow down with a smart search : I have MAC as a field extraction, and id like to search for which top mac-addresses had a sudden spike in discoveries (i know that 95% of the customers didnt have it, but id like to know who did)
br TE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
The following search, or something similar would probably be sufficient;
sourcetype=dhcp DHCPDISCOVER earliest=-8h latest=-4h
| stats c AS OLD_DISCOVERIES by MAC |join MAC type=outer [search
sourcetype=dhcp DHCPDISCOVER earliest=-4h latest=now
| stats c AS NEW_DISCOVERIES by MAC] | fillnull
| eval change_in_percent=round((NEW_DISCOVERIES/OLD_DISCOVERIES -1) * 100,1)
| where change_in_percent > 500
Since I didn't have your data, I had to play with other sources/sourcetypes/fields - but I think that this should work for you. Still assuming that you have a sourcetype of 'dhcp' and that MAC-addresses are extracted into the 'MAC' field.
Basically, this is a comparison of two searches - each with a 4 hour time span. Unfortunately, I needed to use the 'join' function to make this work - and this is generally expensive. There are probably other more efficient ways of linking the inner and outer searches. In my tests the results came back quickly, but then I only had a few thousand events to play with.
You might already have field extraction for DHCPDISCOVER, and if so, you should probably use that. Also, you may want to change the time constraints, but this is up to you.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, are the discoveries logged along the lines of the example below:
Aug 8 00:00:01 rchmms010 dhcpd: DHCPDISCOVER from 00:1d:ed:40:5f:b6 via 10.1.255.254
Aug 8 00:00:01 rchmms010 dhcpd: DHCPOFFER on 10.1.210.152 to 00:1d:ed:40:5f:b6 via 10.1.255.254
Aug 8 00:00:01 rchmms010 dhcpd: DHCPDISCOVER from 00:1d:ed:40:53:e8 via 10.1.255.254
Aug 8 00:00:01 rchmms010 dhcpd: DHCPOFFER on 10.1.239.99 to 00:1d:ed:40:53:e8 via 10.1.255.254
In that case, you could easily find the top MAC's responsible for the DHCPDICSOVER messages;
sourcetype=dhcp DHCPDISCOVER | top MAC
assuming that you extract the MAC addresses as 'MAC' and that the sourcetype is 'dhcp'.
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. thx for a prompt anwser. Unfortunatly i was a bit unclear in my question. My issue is that i want to have a top mac for those mac-addresses that suddenly spike like 500%, not everyon else.. Most of the customers behave like they should but we have some nodes that are behaving erratically which again leads to alot of discovery -> offer loops.
So logically i want :
give me the top mac-addresses which have a raise in discoveries > 500% over 1 leaseperiod (4hours)
br TE
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
