I want to create a rule that will detect the upload of a large amount of data from my network. The rule works as I want, except that I have to run it every minute to group the data into minute blocks for each domain. My question is how to set it up so that I only need to run the rule once every 12 hours, with the upload data being calculated in minute blocks.
Here is my current query:
from logs-*
| WHERE (CIDR_MATCH(source.ip, "10.0.0.0/8") OR CIDR_MATCH(source.ip, "172.16.0.0/12") OR CIDR_MATCH(source.ip, "192.168.0.0/16")) and url.domain is not null and @timestamp >= now() - 60seconds
| stats upload = sum(source.bytes) by url.domain, source.ip
| where upload >= 52428800
eg in splunk exist command span so something like that
from logs-*
| WHERE (CIDR_MATCH(source.ip, "10.0.0.0/8") OR CIDR_MATCH(source.ip, "172.16.0.0/12") OR CIDR_MATCH(source.ip, "192.168.0.0/16")) and url.domain is not null and @timestamp >= now() - 12hours
| stats upload = sum(source.bytes) by url.domain, source.ip, minute = BUCKET(@timestamp, 1 minute)
| where upload >= 52428800
This will also group by the @timestamp splitting it into a histogramm of 1 minute intervals.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.