https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604636#M210300 <P>How would I implement that in what I do have, please? So this is what I have:</P><P>index=X&nbsp; sourcetype=Y source=metrics.kv_log appln_name IN ("FEED_FILE_ROUTE", "FEED_INGEST_ROUTE") this_hour="*"</P><P>| bin span=1h _time</P><P>| stats latest(this-hour) AS Volume BY appln_name, _time</P><P>| eval day_of_week=strftime(_time,"%A"), hour=strftime(_time,"%H")</P><P>|lookup mt_expected_processed_volume.csv name as appln_name, day_of_week, hour</P><P>outputnew avg_volume, stdev_volume</P> Wed, 06 Jul 2022 17:38:27 GMT majilan1 2022-07-06T17:38:27Z https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604606#M210289 <P>Hi Splunkers,</P> <P>This may be easy, but I'm not able to solve it if anyone can help.</P> <P>I want to set a lower threshold to 15 standard deviation below the mean, and the upper threshold to 15 standard deviation above the mean, but I'm not sure how to implement that.&nbsp;</P> <P>Thanks!</P> Thu, 07 Jul 2022 14:28:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604606#M210289 majilan1 2022-07-07T14:28:42Z https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604610#M210291 <P>The general idea is to use the <FONT face="courier new,courier">eventstats</FONT> command to compute the standard deviation then use <FONT face="courier new,courier">eval</FONT> to calculate the lower and upper thresholds.&nbsp; Like this:</P><LI-CODE lang="markup">| eventstats stdev(foo) as stdev, avg(foo) as avg | eval lower=avg - stdev*15, upper=avg+stdev*15 | where (foo &lt; lower OR foo &gt; upper)</LI-CODE><P>&nbsp;</P> Wed, 06 Jul 2022 15:37:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604610#M210291 richgalloway 2022-07-06T15:37:18Z https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604636#M210300 <P>How would I implement that in what I do have, please? So this is what I have:</P><P>index=X&nbsp; sourcetype=Y source=metrics.kv_log appln_name IN ("FEED_FILE_ROUTE", "FEED_INGEST_ROUTE") this_hour="*"</P><P>| bin span=1h _time</P><P>| stats latest(this-hour) AS Volume BY appln_name, _time</P><P>| eval day_of_week=strftime(_time,"%A"), hour=strftime(_time,"%H")</P><P>|lookup mt_expected_processed_volume.csv name as appln_name, day_of_week, hour</P><P>outputnew avg_volume, stdev_volume</P> Wed, 06 Jul 2022 17:38:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-lower-and-upper-threshold-deviation/m-p/604636#M210300 majilan1 2022-07-06T17:38:27Z