https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406908#M117554 <P>Also, I suppose I'm missing a way for this to determine the average on a daily basis over a long period of time. That's why I was considering streamstats, for time_window=1d.</P> Wed, 16 Jan 2019 18:59:03 GMT danataylor 2019-01-16T18:59:03Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406899#M117545 <P>Hi,</P> <P>I'm trying to build the following logic and failing: For each user in my Windows Event Logs, calculate the stdev and boundaries for the distinct count (averaged daily) of servers logged into, <STRONG>for each specific user.</STRONG> I would then theoretically set an alert to yell when any user reaches above their threshold.</P> <P>I have read the "Finding and removing outliers" doc, but that seem to allow creating upper and lower limits <STRONG>for each user, or "by user"</STRONG>, etc. I've tried to modify that information to fit this model and failed. Maybe I'm not understanding it correctly. My attempts look generally like this: </P> <PRE><CODE>| eventstats dc(dest_nt_host) as new_dc, avg(new_dc) as new_avg, stdev(new_avg) by user as new_stdev | eval upper = new_avg+(new_stdev*2) | eval lower = new_avg-(new_stdev*2) </CODE></PRE> <P>Any advice or guidance on this problem would be greatly appreciated!</P> Wed, 16 Jan 2019 16:18:49 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406899#M117545 danataylor 2019-01-16T16:18:49Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406900#M117546 <P>It should be as and then by user</P> <PRE><CODE>| eventstats dc(dest_nt_host) as new_dc, avg(new_dc) as new_avg, stdev(new_avg) as new_stdev by user | eval upper = new_avg+(new_stdev*2) | eval lower = new_avg-(new_stdev*2) </CODE></PRE> Wed, 16 Jan 2019 17:00:13 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406900#M117546 Vijeta 2019-01-16T17:00:13Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406901#M117547 <P>Thank you! However, this search is still not able to calculate thresholds per specific uesrs.</P> Wed, 16 Jan 2019 18:18:27 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406901#M117547 danataylor 2019-01-16T18:18:27Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406902#M117548 <P>Can you please share some sample event. Also why are you using eventstats, can't it be done by stats?</P> Wed, 16 Jan 2019 18:21:16 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406902#M117548 Vijeta 2019-01-16T18:21:16Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406903#M117549 <P>It's generic Windows Event Logs, where dest_nt_host is a value present in each log. No specific reason for using eventstats over stats. I've seen some examples using streamstats, but that doesn't give me output for upper or lower either.</P> Tue, 29 Sep 2020 22:47:12 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406903#M117549 danataylor 2020-09-29T22:47:12Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406904#M117550 <P>Did you try using stats? It should give you upper and lower values. </P> Wed, 16 Jan 2019 18:39:54 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406904#M117550 Vijeta 2019-01-16T18:39:54Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406905#M117551 <P>I tried and it did not return values for those</P> Wed, 16 Jan 2019 18:47:54 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406905#M117551 danataylor 2019-01-16T18:47:54Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406906#M117552 <P>I just realized you are performing stats on the as field (avg(new_dc) defined in same eventstats) which will return blank. </P> Wed, 16 Jan 2019 18:50:39 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406906#M117552 Vijeta 2019-01-16T18:50:39Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406907#M117553 <P>How else would you perform recursive stats operations? Separate lines (new stats command) for each step?</P> Wed, 16 Jan 2019 18:54:57 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406907#M117553 danataylor 2019-01-16T18:54:57Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406908#M117554 <P>Also, I suppose I'm missing a way for this to determine the average on a daily basis over a long period of time. That's why I was considering streamstats, for time_window=1d.</P> Wed, 16 Jan 2019 18:59:03 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406908#M117554 danataylor 2019-01-16T18:59:03Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406909#M117555 <P><IMG src="https://imgur.com/a/cbH5ZVY" alt="here's an example search now" />: <A href="https://imgur.com/a/cbH5ZVY">https://imgur.com/a/cbH5ZVY</A></P> Wed, 16 Jan 2019 19:07:45 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406909#M117555 danataylor 2019-01-16T19:07:45Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406910#M117556 <P>May be something like this</P> <PRE><CODE>| streamstats dc(dest_nt_host) as new_dc by User| eventstats avg(new_dc) as new_avg by user|eventstats stdev(new_avg) as new_stdev by user | eval upper = new_avg+(new_stdev*2) | eval lower = new_avg-(new_stdev*2) </CODE></PRE> Wed, 16 Jan 2019 19:11:23 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406910#M117556 Vijeta 2019-01-16T19:11:23Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406911#M117557 <P>Edited to clarify that I am seeking to get stdev of the distinct count (averaged daily) of servers logged into, by each individual user.</P> Thu, 17 Jan 2019 15:30:58 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406911#M117557 danataylor 2019-01-17T15:30:58Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406912#M117558 <P>I should note that I am seeking stdev of <EM>distinct count (averaged daily) of servers logged into</EM>, by each user. I edited my OP to reflect this</P> Thu, 17 Jan 2019 15:31:48 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406912#M117558 danataylor 2019-01-17T15:31:48Z https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406913#M117559 <P>I haven't tried the search, but something on below lines should work</P> <PRE><CODE>&lt;yoursearch&gt;| bin span=1d _time| eventstats dc(dest_nt_host) as distinct_host by _time user|eventstats dc(_time) as count1| eval avg=distinct_host/count1| stats values(avg) as new_avg, stdev(avd) as new_stdev by user| eval upper = new_avg+(new_stdev*2) | eval lower = new_avg-(new_stdev*2) </CODE></PRE> Thu, 17 Jan 2019 17:06:06 GMT https://community.splunk.com/t5/Splunk-Search/Calculating-stdev-by-individual-users/m-p/406913#M117559 Vijeta 2019-01-17T17:06:06Z