Hi all,
I'm looking for a way to calculate the total log volume for the last 7 days and compare it with the previous 7 days to identify any anomalies in the total log volume ingested into the SIEM.
Any recommendation is much appreciated.
Thank you in advance.
Hi @vivekramrs check out this previous post Aggregate functions in metrics. It should help answer your question.
Thank you, @matthewnichols . I will use the logic in the link; it looks similar to what I’m looking for.
Hi @matthewnichols , I tried and stuck after this, I was able to get the total log count per day but I wasn't able to get the averages and how to compare this average with another average to determine the count increases or decreases.
events:
$e.metadata.log_type = /./
$e.metadata.log_type = $logtype
timestamp.get_date($e.metadata.event_timestamp.seconds) = $date
match:
$date
outcome:
$count = count($e.metadata.event_timestamp.seconds)
We had a recent question about this and arrived at this as a potential way to address this. We could run the search against 2 weeks to get a total for the 2 weeks and then have a separate column for the most recent week (and day) and then calculate a percentage of the logs in the second week against the total returned.
events:
metadata.event_type > 0
outcome:
$total_events_count = count_distinct(metadata.id)
$last_24_hrs = sum(if(metadata.event_timestamp.seconds > timestamp.current_seconds() - 86400, 1, 0))
$last_7_days = sum(if(metadata.event_timestamp.seconds > timestamp.current_seconds() - 604800, 1, 0))
$last_7_percent_of_total = $last_7_days / $total_events_count
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.