Skip to main content
 
Splunk Lantern

Hosts logging more or less data than expected

 

An anomaly occurred on your network in the last 3 hours. Your boss wants a report of how much data each host on the network logged during that time, along with some sort of baseline for comparison. 

Required data

The data needed in this procedure depends on the types of events you are investigating. The data descriptors can help you decide what data is appropriate for your goal.

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

|tstats count WHERE earliest =-7d latest=-3h BY host, _time span=3h
|stats median(count) AS median BY host
|join host [|tstats count WHERE earliest=-3 BY host]
|eval percentage_diff=((count/median)*100)-100
|where percentage_diff<-5 OR percentage_diff>5
|sort percentage_diff
|rename median AS "Median Event Count Past Week", count AS "Event Count of Events Past 3 Hours", percentage_diff AS "Percentage Difference" 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

|tstats count WHERE earliest =-7d latest=-3h BY host, _time span=3h

Return the number of events per host in the last seven days up until three hours ago, batched into three-hour intervals.

|stats median(count) AS median BY host

Return the median number of events for each host. If you use a visualization, the median will be on the y-axis and the hosts will be on the x-axis.

|join host [|tstats count WHERE earliest=-3 BY host]

Return the number of events in the last three hours per host, and display those results with the previous results.

|eval percentage_diff=((count/median)*100)-100

Calculate the percentage difference between the median number of events over the seven-day period and the events in the last three hours for each host.

|where percentage_diff<-5 OR percentage_diff>5

Return values where the percentage difference is less than -5 or greater than 5.

|sort percentage_diff

Sort the table with the least percentage difference value first.

|rename median AS "Median Event Count Past Week", count AS "Event Count of Events Past 3 Hours", percentage_diff AS "Percentage Difference" 

Rename the fields as shown for better readability.

Next steps

The results include everything your boss asked for, as well as the percentage difference in data logged. You can print or export the results table, or click Save As > Report to save it for viewing in Splunk. Printing or saving the results as a visualization, such as a line chart, might be more useful. 

Finally, you might be interested in other processes associated with the Creating a timebound picture of network activity use case.