Follow the steps in this recipe to identify abnormally-sized web requests:
- Log in to your Splunk server.
- Select the Operational Intelligence application.
- Ensure the time range picker is set to Last 24 Hours, and type the following search into the Splunk search bar. Then, click on the search button or hit Enter:
index=main sourcetype=access_combined | eventstats mean(bytes) AS mean_bytes, stdev(bytes) AS stdev_bytes | eval Z_score=round(((bytes-mean_bytes)/stdev_bytes),2) | where Z_score>1.5 OR Z_score<-1.5 | table _time, clientip, uri, bytes, mean_bytes, Z_score
- Splunk will return the results in a tabulated form, similar to the following example:
- Let's save this search as a report. Click on Save As and choose