I have a technical and mainly a security/SIEM background. So I have no issues with understanding the SPL language in general, the administration etc etc. I however do fall flat on my face whenever I want to do anything more advanced with the SPL language and statistics.
This SplunkConf talk for example talks about actionable alerting https://conf.splunk.com/files/2016/slides/writing-actionable-alerts.pdf
and in the last slides talks about Nth percentage, proper time groups, outliers etc etc. It sounds great, but I'm a techie, not a statistician or data scientist, so my queries simple don't work as they should as I fail to understand the concepts I think. Splunk documentation is more explaining the command or argument, but not the concept as a whole.
I'm guessing other people must have had the same issues with this. Do you know of any materials that get my knowledge up a little bit, especially in relation to Splunk? I have looked around the Answer forum and other sites but did not see much that would help me I don't feel like going into a full blown statistics course would be the proper thing to do for the somewhat more advanced queries I want to write.
Thanks for your patience with my reply and thanks for listening to my talks!
I agree that our documentation is great with highlighting the usage but sometimes it's hard to see why or how that might be useful. As a result, I often go straight to the examples part of the docs entry for an spl command. Those tend to make things more concrete for me, from a concept point of view, that is.
I'd recommend the free Splunk Book. It applies spl in a more real world scenario and takes it's time explaining the scenarios: http://www.splunk.com/goto/book
I'd also recommend the conf talk's associated blog post: http://blogs.splunk.com/2016/01/29/writing-actionable-alerts which might provide an easier medium to digest the concepts.
Lastly, learn by doing! I don't have a statistics background (other than what I got from computer science and an MBA) but I def learned a lot by not being afraid to try and fail. That and answers.splunk.com. If you want to do something in splunk, outline the concept in a post, let your fellow splunkers translate what that might be in statistics and then into spl. Then you'll learn that new building block from which you can create more. Notice I highlighted outlining the real world challenge in your post - that's because if you try to ask about a specific implementation, you won't be inviting potential new approaches to solve the same problem and therefore won't be learning. Always focus on your challenge in the post, rather than your attempts at implementing.
Other than that, if you provide specific things you've struggled with, I might be able to get more pointers and resources to you.
In lieu of going through a stats course to understand the underlying principles, the next best bet is probably to find somebody nearby (coworker/colleague, or maybe a local stats/data science focused meetup) to have a dialog with to better understand whats going on here.
Along with this, I'd recommend toying around with the stats functions.
If you have access to Splunk Enterprise Security, then George Starcher's series on utilizing Extreme Search is a good starting point for a practical application of stats
Please let me know if this helps!
Thanks for your reply. It's not that I don't want to follow a statistics course, but it seems to quickly become too advanced for my current needs. As Statistics is a profession and discipline on it's own.
I do have access to Splunk Enterprise Security, but the hardware for it won't be here for quite some time. So I'll have to wait with that one unfortunately