https://community.splunk.com/t5/Splunk-Search/How-to-generate-statistical-data-without-knowing-field-names-in/m-p/585644#M204047 <P>Honored Splunkodes,</P> <P>I am trying to keep track of the manpower in each of my legions, so that if any legion loses too many troops at once, I know which one to reinforce.<BR />However, I have many legions, and thus I track all of their manpower without knowing which ones will be important each day. I can't leave my myrmidons without reinforcements!</P> <P>I'd like to generate statistical information about them at the time of graph generation.</P> <P>Currently I'm doing this, it's dirty but it works.</P> <P>I get my legion manpower by querying that index, dropping any that don't fall in the top 50.<BR />index=legions LegionName=*<BR />| timechart span=1d limit=50 count by LegionName<BR />| fields - OTHER<BR />| untable _time LegionName ManPower<BR />| outputlookup append=f mediterranean_legions.csv</P> <P>Then I load up my lookup:<BR />| inputlookup mediterranean_legions.csv<BR />| convert timeformat="%Y-%m-%dT%H:%M:%S" mktime(_time) as _time<BR />| bucket _time span=1d<BR />| timechart avg(ManPower) by LegionName<BR />| fields - OTHER<BR />| untable _time LegionName ManPower<BR />| streamstats global=f window=10 avg(ManPower) AS avg_value by LegionName<BR />| eval lowerBound=(-avg_value*1.25)<BR />| eval upperBound=(avg_value*1.25)<BR />| eval isOutlier=if('ManPower' &lt; lowerBound OR 'ManPower' &gt; upperBound, "XXX".ManPower, ManPower)<BR />| search isOutlier="XXX*"<BR />| table _time, LegionName, ManPower, *</P> <P>This gives me a quick idea which legions have lost (or gained) a lot of manpower each day.</P> <P>Now ideally, I'd like to generate standard deviation and determine if they are outliers based on z score rather than just guessing with the lower and upper bound values.</P> <P>If this worked, I'd get what I want. Is there a way to accomplish this?</P> <P>| streamstats global=f window=10 avg(ManPower) AS mp_avg by LegionName, stdev(ManPower) as mp_stdev by LegionName, max(ManPower) as mp_max by LegionName, min(ManPower) as mp_min by LegionName</P> Fri, 18 Feb 2022 01:09:06 GMT decenior 2022-02-18T01:09:06Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-statistical-data-without-knowing-field-names-in/m-p/585644#M204047 <P>Honored Splunkodes,</P> <P>I am trying to keep track of the manpower in each of my legions, so that if any legion loses too many troops at once, I know which one to reinforce.<BR />However, I have many legions, and thus I track all of their manpower without knowing which ones will be important each day. I can't leave my myrmidons without reinforcements!</P> <P>I'd like to generate statistical information about them at the time of graph generation.</P> <P>Currently I'm doing this, it's dirty but it works.</P> <P>I get my legion manpower by querying that index, dropping any that don't fall in the top 50.<BR />index=legions LegionName=*<BR />| timechart span=1d limit=50 count by LegionName<BR />| fields - OTHER<BR />| untable _time LegionName ManPower<BR />| outputlookup append=f mediterranean_legions.csv</P> <P>Then I load up my lookup:<BR />| inputlookup mediterranean_legions.csv<BR />| convert timeformat="%Y-%m-%dT%H:%M:%S" mktime(_time) as _time<BR />| bucket _time span=1d<BR />| timechart avg(ManPower) by LegionName<BR />| fields - OTHER<BR />| untable _time LegionName ManPower<BR />| streamstats global=f window=10 avg(ManPower) AS avg_value by LegionName<BR />| eval lowerBound=(-avg_value*1.25)<BR />| eval upperBound=(avg_value*1.25)<BR />| eval isOutlier=if('ManPower' &lt; lowerBound OR 'ManPower' &gt; upperBound, "XXX".ManPower, ManPower)<BR />| search isOutlier="XXX*"<BR />| table _time, LegionName, ManPower, *</P> <P>This gives me a quick idea which legions have lost (or gained) a lot of manpower each day.</P> <P>Now ideally, I'd like to generate standard deviation and determine if they are outliers based on z score rather than just guessing with the lower and upper bound values.</P> <P>If this worked, I'd get what I want. Is there a way to accomplish this?</P> <P>| streamstats global=f window=10 avg(ManPower) AS mp_avg by LegionName, stdev(ManPower) as mp_stdev by LegionName, max(ManPower) as mp_max by LegionName, min(ManPower) as mp_min by LegionName</P> Fri, 18 Feb 2022 01:09:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-statistical-data-without-knowing-field-names-in/m-p/585644#M204047 decenior 2022-02-18T01:09:06Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-statistical-data-without-knowing-field-names-in/m-p/585673#M204057 <P>I am not sure what it is you are trying to accomplish but does something like this work?</P><LI-CODE lang="markup">| gentimes start=-28 increment=1m | rename starttime as _time | streamstats count as row | eval LegionName=mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random()%4).mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random()%25) | timechart span=1d limit=50 count by LegionName | fields - OTHER | untable _time LegionName ManPower | timechart avg(ManPower) by LegionName | fields - OTHER | untable _time LegionName ManPower | streamstats global=f window=10 avg(ManPower) AS mp_avg stdev(ManPower) as mp_stdev max(ManPower) as mp_max min(ManPower) as mp_min by LegionName | eval lowerBound=mp_avg-mp_stdev | eval upperBound=mp_avg+mp_stdev | eval isOutlier=if('ManPower' &lt; lowerBound OR 'ManPower' &gt; upperBound, "XXX".ManPower, ManPower) | search isOutlier="XXX*" | table _time, LegionName, ManPower, *</LI-CODE> Fri, 18 Feb 2022 08:06:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-statistical-data-without-knowing-field-names-in/m-p/585673#M204057 ITWhisperer 2022-02-18T08:06:40Z