Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an overlay of the avg number of blocks over total sessions?

jwalzerpitt
Influencer
‎11-07-2022 10:57 AM

I am trying to create a timechart overlay of blocked  traffic comparted to total traffic with the following search:

 

| tstats count AS "Total Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic ) OR (nodename = Blocked_Traffic) All_Traffic.src_zone=INTERNET-O groupby _time span=1d, All_Traffic.src_zone, All_Traffic.action, All_Traffic.Traffic_By_Action.Blocked_Traffic prestats=true 
| `drop_dm_object_name("All_Traffic")` 
| timechart span=1d count by action 
| eval "Block Avg" = round('blocked'*100/('allowed'+'blocked'),2)

 

 This search has two issues:

  1. Timechart shows bars by action and 'd like to see just the total count of network sessions
  2. The average is basically flatlined as it's at roughly 40% whereas my totals by action are roughly 1.5B
Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...