Splunk Stream: How to find outliers in data taken ...

mkresstreysta · ‎02-22-2018

I am trying to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads. I have written a search which kind of works but I get multiple entries for applications and can't find a way to group them together. The search I have come up with is below. Any help would be appreciated!

index=main host=ts01 source="stream:Splunk_Tcp" NOT dest_ip="192.168.*"
| rename "sum(bytes_out)" AS "bytes_out"
| eventstats avg("bytes_out") as avg stdev("bytes_out") as stdev 
| eval lowerBound=(avg-stdev*2)
| eval upperBound=(avg+stdev*2)
| eval isOutlier=if('bytes_out' > 'upperBound', 1, 0) 
| table "app" "isOutlier" "bytes_out" "stdev" "avg"

skoelpin · ‎02-22-2018

Try something like this

| eventstats avg(count) AS pred by _time
| eval upper=if(count>pred,count,pred) 
| eval lower=if(count<pred,count,pred) 
| eval lower=if(lower=0,"",lower) 
| eventstats avg(count) AS pred, stdev(count) as pred_stdev, by _time
| eval upper=if(upper>pred+1*pred_stdev,pred_stdev*0.5+pred,upper) 
| eval lower=if(lower <pred-1*pred_stdev,pred_stdev*0.5+pred, lower) 
| stats avg(count) AS pred, stdev(upper) AS ustdev, stdev(lower) AS lstdev stdev(count) as stdev by time 
| eval low=pred-lstdev*(sqrt(1/(1-90/100))) 
| eval low=if(low<0, 1, low) 
| eval high=pred+ustdev*(sqrt(1/(1-90/100)))

Splunk Stream: How to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads?

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

Splunk Stream: How to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads?

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency