topic Re: Mean for Failed Logons to Windows in Getting Data In

Mean for Failed Logons to Windows

hagjos43 — Wed, 06 Nov 2013 19:05:19 GMT

I'm trying to grab the number value of all failed logons on windows logs (eventually will be failed logons per account aka user).

I'm trying to run the mean on the following query:

index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*) | stats mean(user)

This returns no value. If I change it to

stats mean(EventCode)

It returns a number that is incorrect. This number corresponds to the mean of the EventCode numbers. Perhaps I simply can't wrap my head around the situation, but any help would be greatly appreciated!

Re: Mean for Failed Logons to Windows

Ayn — Wed, 06 Nov 2013 19:09:49 GMT

I don't follow completely what you're trying to achieve - grab a count of failed logons? If so, just do stats count at the end of the search, instead of stats mean(...). If I misunderstood your intentions, please describe them in more detail.

Re: Mean for Failed Logons to Windows

lguinn2 — Wed, 06 Nov 2013 19:09:54 GMT

Try this:

index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*) 
| stats count by user
| stats mean(count) as MeanCountOfUserEvents

The mean function calculates the average of the field that you name. So mean(EventCode) will return the mean of the numeric event codes - and Splunk can't even calculate mean(user) because none of the values for user are numeric. My example counts the number of events for each user, and then takes the mean of that count.

Re: Mean for Failed Logons to Windows

hagjos43 — Thu, 07 Nov 2013 13:54:20 GMT

Thank you! This is what I wanted. Can you add to this though, if I wanted to count the mean of the number of events and show it for each user how would I add that in this query?

Re: Mean for Failed Logons to Windows

hagjos43 — Mon, 28 Sep 2020 15:13:38 GMT

Looks like I figured it out on my own.....

stats mean(count) as Standard_Deveation_Of_Successful_Logons by user

Re: Mean for Failed Logons to Windows

lguinn2 — Thu, 07 Nov 2013 17:40:55 GMT

I don't understand how you are using the term "mean" - in English, the statistic called "mean" is also called "average." The mean is calculated for a series of numbers by first summing the numbers and then dividing the total by the count of the numbers.

The mean is not a "standard deviation" - for a standard deviation, use the stdev function instead.

Finally, this will work for your count by user

yoursearchhere | stats count by user

The mean doesn't make sense here, as you have only one value per user