How to display an event count deviation?

matthew_foos · ‎03-29-2018

Hello all,

I've been tasked with building a standard deviation alert / dashboard / report by using the total count of events over 7 days. I've tried the following search with no success:

| metadata type=hosts index=* which gives me a totalCount of events for my hosts.

I'm trying to figure out how to display any deviation that is +/- 10% and alert on this.

I'm happy to provide further information.

Thanks!

kmaron · ‎04-03-2018

okay try this

base search 
| bucket _time span=1d
| stats count BY _time countedfield
| eventstats stdev(count) as stdev BY countedfield
| eval stdevincrease = (stdev*1.1)
| where count > stdevincrease AND _time > now()-(24*60*60)

Set your earliest to be 7 days and your latest to be now.
Your buckets are 1 day time spans
the eventstats will do the standard deviation over the 7 days then the where clause only looks at the last day
So you can set your alert to trigger on anything greater than 0

kmaron · ‎03-29-2018

a deviation over what time frame? You said 7 days for the total count but are you comparing daily? hourly?

matthew_foos · ‎04-02-2018

I will be comparing daily.

How to display an event count deviation?

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Are you a member of the Splunk Community?

How to display an event count deviation?

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies