0

I want to perform Behavioral analysis / anomalies detection in Splunk by comparing Historical (say last months data) with todays data to find anomalies.

I am analyzing FTP logs, so e.g I want to have a historical baseline/report of all users with there IPs/City and logging time. Anomalies can be defined as if same user logins from different IP range/City and in different time zone. Commands: anomalies, anomalousvalue, analyzefields are availbale in Splunk but these commands typically work on a time range of searched data and not compare with the historical data for a user as we want it.

How can I achieve this in Splunk?

Sourabh Potnis
  • 1,431
  • 1
  • 17
  • 26

1 Answers1

0

You can do it by running two searches and then joining them together:

  1. start by getting the current data and putting it in a simple table: search | table username ip city time_zone
  2. Prepare the second search and rename the fields (except username) to have different names second search earliest=-2mon@mon latest=-1mon@mon| table username ip city time_zone | rename ip as old_ip | rename city as old_city ...
  3. Join the searches together: search | join [ | search second_search ]
  4. Now you can search for users with similar new and historical fields.

Hope it is helpful.

Tom Kregenbild
  • 1,568
  • 1
  • 10
  • 11