Created
          November 15, 2017 12:46 
        
      - 
      
- 
        Save jpclipffel/f69ba56edda375562de6389746bed0ee to your computer and use it in GitHub Desktop. 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # Select the search space (index, sourcetype, eventtypes, ...) and basic filters (ip, range, ...) | |
| index=* sourcetype="my_super_ids" src!=64.39.96.0/20 | |
| # Optional - Reduce the number of event types (optional). | |
| | eval action=case(action="allowed", "allowed", action="blocked", "blocked", true(), "not_allowed") | |
| # Group the results over the required dimensions (usually source/destination/action). | |
| | stats count(action) as action_count by src, dest, action | |
| # Reduce the dimensions count to facilitate the analysis. | |
| | eval event=src + ":" + dest | |
| | xyseries event action action_count | |
| # Calculate the statistical values over the numerical dimension. | |
| # The '10' in the formula 'avg-stdev*10' is the sensitivity we want to use to select only the highest or lowest outlying values. | |
| | streamstats avg(blocked) as avg stdev(blocked) as stdev | |
| | eval blocked_lb=(avg-stdev*10) | |
| | eval blocked_ub=(avg+stdev*10) | |
| # Filter to keep only the outliers. | |
| | where blocked > blocked_ub | |
| # Format the final results. | |
| | table event allowed blocked not_allowed | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment