topic Re: Help with Stats and time buckets in Knowledge Management

Help with Stats and time buckets

mpasha — Fri, 16 Aug 2019 20:39:35 GMT

good day everyone,
I have been wrestling with a rather trivial task in Splunk but have not been able to progress with the task at all.
I have a summary index that records number of DNS queries per hour. I have attached a csv file with the content: link text

here is the requirement:
I need to have an aggregate of DNS query counts per day which i can calculte with no problem:

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
| bucket _time span=1d@d
| timechart sum(count) as Daily_DNSQuery

now the challenging part is i want to calculate daily average for the past two month and also standard deviation of the daily count for the same time frame "past 2 months" "Keep in mind the summary index minimum time value is 1hr. and lastly i want to have a chart with the daily values with average and standard deviation superimposed on a chart.

Any help is greatly appreciated.

Thanks,

Re: Help with Stats and time buckets

somesoni2 — Fri, 16 Aug 2019 21:11:03 GMT

Does following doesn't give you right values?

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery stdev(count) as StandardDeviation

OR this

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery | eventstats stdev(Daily_DNSQuery) as StandardDeviation

Re: Help with Stats and time buckets

mpasha — Fri, 16 Aug 2019 21:31:04 GMT

Awsome!!!!!
Thanks so much it is working the way it should.
Really appreciate your help Somesoni2.

Re: Help with Stats and time buckets

mpasha — Fri, 16 Aug 2019 21:37:30 GMT

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.