topic Re: How to generate a search to find the number of days that exceeds mean by certain ranges? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347485#M102919 <PRE><CODE>index="index" field="field" sourcetype="sourcetype" | bucket _time span=1d | stats count as EventCount by _time | rename COMMENT as "This section adds records for the days which had zero counts. Remove if unwanted." | appendpipe [| stats min(_time) as mintime max(_time) as maxtime | eval _time=mvrange(mintime,maxtime,86400) | eval EventCount=0] | stats max(EventCount) as EventCount by _time | rename COMMENT as "This section calculates which days were beyond n stdevs, and sets a flag to count them up." | eventstats avg(EventCount) as avgEventCount stdev(EventCount) as stdevEventCount | eval logs1=if(EventCount&gt; avgEventCount+1*stdevEventCount,1,0) | eval logs2=if(EventCount&gt; avgEventCount+2*stdevEventCount,1,0) | eval logs3=if(EventCount&gt; avgEventCount+3*stdevEventCount,1,0) | rename COMMENT as "This section adds records to show the specific dates beyond n stdevs, for test purposes. Remove when working if unwanted." | eval day = strftime(_time,"%Y-%m-%d") | eval days1=if(EventCount&gt; avgEventCount+1*stdevEventCount,day,0) | eval days2=if(EventCount&gt; avgEventCount+2*stdevEventCount,day,0) | eval days3=if(EventCount&gt; avgEventCount+3*stdevEventCount,day,0) | rename COMMENT as "This section calculates and reports your answers." | stats sum(log*) as log*, values(day*) as day* </CODE></PRE> Thu, 15 Jun 2017 18:51:05 GMT DalJeanis 2017-06-15T18:51:05Z How to generate a search to find the number of days that exceeds mean by certain ranges? https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347483#M102917 <P>Hello all!</P> <P>I'm trying to find the number of days that the daily count of my event exceeds the daily mean + standard deviation for a 3-week period. I also need to return the number of days that exceeds the mean + 2 stdevs and mean + 3 stdevs, and keep it all together.</P> <P>Is there an easy way to do this?</P> Thu, 15 Jun 2017 16:37:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347483#M102917 jrnastase 2017-06-15T16:37:50Z Re: How to generate a search to find the number of days that exceeds mean by certain ranges? https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347484#M102918 <P>If it helps, this is what I tried before, but it only works if values exist for logs++</P> <P>index="index" field = "field" sourcetype="sourcetype"<BR /> | bucket _time span=1d <BR /> | stats count by _time <BR /> | eventstats avg(count) as average stdev(count) as standard_deviation<BR /><BR /> | where count&gt;average+standard_deviation <BR /> | eventstats count as logs <BR /> | where count&gt;average+(2*standard_deviation) <BR /> | eventstats count as logs+ <BR /> | where count&gt;average+(3*standard_deviation) <BR /> | eventstats count as logs++</P> Tue, 29 Sep 2020 14:28:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347484#M102918 jrnastase 2020-09-29T14:28:04Z Re: How to generate a search to find the number of days that exceeds mean by certain ranges? https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347485#M102919 <PRE><CODE>index="index" field="field" sourcetype="sourcetype" | bucket _time span=1d | stats count as EventCount by _time | rename COMMENT as "This section adds records for the days which had zero counts. Remove if unwanted." | appendpipe [| stats min(_time) as mintime max(_time) as maxtime | eval _time=mvrange(mintime,maxtime,86400) | eval EventCount=0] | stats max(EventCount) as EventCount by _time | rename COMMENT as "This section calculates which days were beyond n stdevs, and sets a flag to count them up." | eventstats avg(EventCount) as avgEventCount stdev(EventCount) as stdevEventCount | eval logs1=if(EventCount&gt; avgEventCount+1*stdevEventCount,1,0) | eval logs2=if(EventCount&gt; avgEventCount+2*stdevEventCount,1,0) | eval logs3=if(EventCount&gt; avgEventCount+3*stdevEventCount,1,0) | rename COMMENT as "This section adds records to show the specific dates beyond n stdevs, for test purposes. Remove when working if unwanted." | eval day = strftime(_time,"%Y-%m-%d") | eval days1=if(EventCount&gt; avgEventCount+1*stdevEventCount,day,0) | eval days2=if(EventCount&gt; avgEventCount+2*stdevEventCount,day,0) | eval days3=if(EventCount&gt; avgEventCount+3*stdevEventCount,day,0) | rename COMMENT as "This section calculates and reports your answers." | stats sum(log*) as log*, values(day*) as day* </CODE></PRE> Thu, 15 Jun 2017 18:51:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347485#M102919 DalJeanis 2017-06-15T18:51:05Z Re: How to generate a search to find the number of days that exceeds mean by certain ranges? https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347486#M102920 <P>Check out this Q&amp;A for a very in-depth conversation on this topic (don't forget to up-vote):<BR /> <A href="https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html#answer-512022">https://answers.splunk.com/answers/511894/how-to-use-the-timewrap-command-and-set-an-alert-f.html#answer-512022</A></P> Thu, 15 Jun 2017 20:21:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-the-number-of-days-that-exceeds/m-p/347486#M102920 woodcock 2017-06-15T20:21:39Z