topic How to use evaluate function across multiple multivalue fields in Archive
https://community.splunk.com/t5/Archive/How-to-use-evaluate-function-across-multiple-multivalue-fields/m-p/313413#M45877
<P>Hi,</P>
<P>I am trying to create an anomaly detector for unusually high thruputs across all sourcetypes in my Splunk internal logs. I have used the following code to compile a table of the sourcetype by thruput rate(kilobytes/s) by the time :</P>
<PRE><CODE>index=_internal
source=*metrics.log
group=*sourcetype*
| xyseries _time,series,kbps
</CODE></PRE>
<P>I am using the standard deviation method to determine my threshold to find the outliers for each sourcetype.</P>
<P>I am using the following code from the Splunk MLTK addon to detect my outliers:<BR />
<CODE><BR />
|evenstats avg("$sourcetype$") as avg stdev("$sourcetype$") as stdev<BR />
| eval lowerBound=(avg-stdev*20),upperBound=(avg+stdev*20)<BR />
| eval isOutlier=if('$sourcetype$' < lowerBound OR '$sourcetype$' > upperBound ,1 , 0)<BR />
| where isOutlier=1<BR />
</CODE></P>
<P>But I do not know how to calculate the average and standard deviation of the thruput rate of each sourcetype using the table generated above. I know that this can be done manually by keying in the sourcetypes. But I have over 20 sourcetypes, is there a way to make a loop using SPL that will loop through all sourcetypes and perform the relevant calculations?</P>
<P>Thanks!</P>Mon, 29 May 2017 09:57:38 GMTmngeow2017-05-29T09:57:38ZHow to use evaluate function across multiple multivalue fields
https://community.splunk.com/t5/Archive/How-to-use-evaluate-function-across-multiple-multivalue-fields/m-p/313414#M45878
<P>This answer will give you more than you need but it has EVERYTHING (prepare to do some work) and it doesn't use the black-box "magic" of ML:</P>
<P><A href="https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html">https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html</A></P>Mon, 29 May 2017 14:13:53 GMThttps://community.splunk.com/t5/Archive/How-to-use-evaluate-function-across-multiple-multivalue-fields/m-p/313414#M45878woodcock2017-05-29T14:13:53Z