The point is there are numerous ways to leverage stats. As a side note, if I saw the result set above I might ask why I am seeing many hosts from the same subnet all communicating to the same destination IP, with identical byte counts, both in and out. By changing the sort, I can easily pivot to look at the top inbound byte volumes or even the low talkers based on lowest byte count (which might be its own hypothesis). In this example, the same data sets are used but this time, the stats command is used to sum the bytes_in and bytes_out fields. | table src dest total_bytes_in total_bytes_out | stats sum(bytes_in) as total_bytes_in sum(bytes_out) as total_bytes_out by src dest Using the stats command, multiple fields can be calculated, renamed and grouped. A hypothesis might be to look at firewall traffic to understand who my top talkers to external hosts are, not from a connection perspective, but from a byte perspective. Once the count is generated, that output can be manipulated to get rid of single events and then sorted from largest to smallest.Īnother use for stats is to sum values together. The stats command is generating a count, grouped by source and destination address. The search is looking at the firewall data originating from the 192.168.225.0/24 netblock and going to destinations that are not internal or DNS. I might hypothesize that the source destination pairs with the largest amount of connections starting in a specific netblock are of interest to dig deeper into.
#SPLUNK STATS ROUND HOW TO#
Here is a good basic example of how to apply the stats command during hunting. Using the keyword by within the stats command can group the statistical calculation based on the field or fields listed. It will perform any number of statistical functions on a field, which could be as simple as a count or average, or something more advanced like a percentile or standard deviation. The stats command is a fundamental Splunk command. Like many Splunk commands, all three are transformational commands, meaning they take a result set and perform functions on the data. When I say stats, I am not just referring to the stats command there are two additional commands that are worth mentioning-eventstats and streamstats. When focusing on data sets of interest, it's very easy to use the stats command to perform calculations on any of the returned field values to derive additional information. I won’t belabor the point, but it's such a crucial capability in the context of threat hunting that it would be crime to not talk about it in this series.
If you have spent any time searching in Splunk, you have likely done at least one search using the stats command. What this is doing is for each field name matching *, it will then run the eval statement in the subsearch and the > reference is the actual value of the field, so you are just rounding the fields without having to know their names.įoreach is a very powerful and is one of the commands you can use well if you use good naming conventions in your field names in your SPL.This is part six of the " Hunting with Splunk: The Basics" series. You will have to use the foreach statement, which will iterate through each field, like this | timechart avg(memUsedGB) as avgmem by host In this case, you can't just use the round() function any more. You will see the columns do not have anything to do with avgmem in their names. | timechart avg(memUsedGB) as avgmem by host You will get a column called avgmem, which you can easily round. You use a split by clause, the name of the fields generated are the names of the split and no longer the name you want to give it, so if you look at the statistics tab when you do | timechart avg(memUsedGB) as avgmem
0 kommentar(er)
