Archive

Display results from "yesterday" when calculating standard deviation over the past 30 days

Path Finder

Splunkers,

Here's the search string I'm using to calculate stdev over the last 30 days:

| tstats count where index=* by host, _time span=1d
| eventstats avg(count) as avg stdev(count) as stdev by host
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| eval isOutlier=if(count < lowerBound OR count > upperBound, 1, 0)
| where isOutlier=1

My goal is to have this run as a report at 0600 everyday. I'm looking to display the results only from the previous day.

Any guidance would be fantastic.

Thanks

Tags (1)
0 Karma
1 Solution

This is a super easy fix, because your code is preserving the _time field:

| tstats count where index=* by host, _time span=1d
| eventstats avg(count) as avg stdev(count) as stdev by host
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) 
| eval isOutlier=if(count < lowerBound OR count > upperBound, 1, 0)
| where isOutlier=1 AND _time>=relative_time(now(), "-1d@d")

View solution in original post

0 Karma

This is a super easy fix, because your code is preserving the _time field:

| tstats count where index=* by host, _time span=1d
| eventstats avg(count) as avg stdev(count) as stdev by host
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) 
| eval isOutlier=if(count < lowerBound OR count > upperBound, 1, 0)
| where isOutlier=1 AND _time>=relative_time(now(), "-1d@d")

View solution in original post

0 Karma

Path Finder

elliotproebstel,

I'm still getting results for the current day as well as yesterday.

0 Karma

Ah, sure. Sorry. Here's a fix:

| tstats count where index=* by host, _time span=1d
| eventstats avg(count) as avg stdev(count) as stdev by host
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) 
| eval isOutlier=if(count < lowerBound OR count > upperBound, 1, 0)
| where isOutlier=1 AND _time>=relative_time(now(), "-1d@d") AND _time<relative_time(now(), "@d")
0 Karma

Path Finder

Nailed it.

0 Karma