Alert when sample is 2 standard deviations from mo... - Splunk Community

Alerting

I am trying to develop an anomaly detector:

Search data...
Determine 95 percentile (or 2 std deviations from average) of last 30 min.
Determine the avg of the last 1 min.

Alert condition: avg(1min) > perc95(30min)

It would also be nice to be able to use a single graph of perc95(30min) and avg(1min) over the same multi-hour timeline.

I can get the data I want as separate series, but have not been able to integrate everything due to having 2 different sampling intervals. Any ideas?

sourcetype=access_combined earliest=-1w
| eval halfanhour = _time
| bucket halfanhour span=30m
| eval min = _time
| bucket min span=1m
| eventstats p95(bytes) as ninety_five by halfanhour
| eventstats mean(bytes) as minute_average by min
| timechart span=1m last(ninety_five) as "95th Percentile", last(minute_average) as "Average (minute)"

From this answer.

Make sure you set gaps to connected under format.

205 KB

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...