https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143472#M39854 <P>this eval expression <CODE>...|eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]|....</CODE>do you have 0 or 1 values to <STRONG>TotalOKlw</STRONG>.<BR /> then when you make <CODE>...|stats stdev(TotalOKlw) as STdesv ...</CODE><BR /> it is nomal that you have STdesv=0.</P> Fri, 05 Jun 2015 15:10:15 GMT fdi01 2015-06-05T15:10:15Z https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143470#M39852 <P>Hi there,<BR /> I'm working on this query:</P> <P>index=checkin host="<EM>prod</EM>" earliest=-0d@d latest=now (description="Intento de checkin*" OR description="Checkin exitoso*") |transaction productId |<BR /> eval TotalOK=if(description=="Checkin exitoso", 1, 0) | <BR /> eval time=_time | <BR /> bucket time span=10m |<BR /> append [search index=checkin host="<EM>prod</EM>" earliest=-7d@d latest=-6d@d (description="Intento de checkin*" OR description="Checkin exitoso*") | transaction productId |<BR /> eval time=relative_time(_time,"+7d") |<BR /> bucket time span=10m |<BR /> eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ] |append [search index=checkin host="<EM>prod</EM>" earliest=-14d@d latest=-13d@d (description="Intento de checkin*" OR description="Checkin exitoso*") | transaction productId |<BR /> eval time=relative_time(_time,"+14d") |<BR /> bucket time span=10m |<BR /> eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]| append [search index=checkin host="<EM>prod</EM>" earliest=-21d@d latest=-20d@d (description="Intento de checkin*" OR description="Checkin exitoso*") | transaction productId |<BR /> eval time=relative_time(_time,"+21d") |<BR /> bucket time span=10m |<BR /> eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]| <BR /> eval theTime=strftime(time, "%F %H:%M %p") |<BR /> stats stdev(TotalOKlw) as STdesv sum(TotalOK) as CheckinToday sum(TotalOKlw) as TOTALOKlw by theTime | eval CheckinHist=(TOTALOKlw/3) | eval diferencia=CheckinHist-CheckinToday</P> <P>I try to compare a historic average with an actual value, I need get the standar deviation for my historics values (3 values) and do some mathematical proportion with the diference to trigger an alarm. But the stdev give me zeros values.<BR /> What I'm doing wrong?</P> <P>Thanks in advance</P> <P>Cheers</P> Mon, 28 Sep 2020 20:11:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143470#M39852 mrcportillo 2020-09-28T20:11:02Z https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143471#M39853 <P>A value of "0" makes perfect sense to me. You individual field values will either be <CODE>0</CODE> or <CODE>1</CODE> due to the way you set them and my guess is that the actual values are either all 3 are 0 or all 3 are 1 which gives stdev=0.</P> Fri, 05 Jun 2015 13:59:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143471#M39853 woodcock 2015-06-05T13:59:55Z https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143472#M39854 <P>this eval expression <CODE>...|eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]|....</CODE>do you have 0 or 1 values to <STRONG>TotalOKlw</STRONG>.<BR /> then when you make <CODE>...|stats stdev(TotalOKlw) as STdesv ...</CODE><BR /> it is nomal that you have STdesv=0.</P> Fri, 05 Jun 2015 15:10:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-stdev-returns-zero/m-p/143472#M39854 fdi01 2015-06-05T15:10:15Z