topic Re: How to compute the mean activity volume per field in Splunk? in Splunk Search

How to compute the mean activity volume per field in Splunk?

pavanae — Thu, 27 Oct 2016 19:47:11 GMT

How to Compute the mean activity volume per user in each hour yesterday, and find the ones more than n standard deviations above the mean?

Note: Considering user as a field

Any ideas about writing a search which satisfies the above condition?

Re: How to compute the mean activity volume per field in Splunk?

vasanthmss — Thu, 27 Oct 2016 20:52:22 GMT

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

Re: How to compute the mean activity volume per field in Splunk?

mgrosholz — Fri, 28 Oct 2016 11:50:51 GMT

By mean activity, I am assuming you mean the average.
| stats avg(count) by date_hour, user

For standard deviation you can try something like below. Replace "n" with your amount.
| eventstats stdev(count) as deviation | eval outlier=deviation*"n" | where count > outlier