Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to get the standard deviation of the inter...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the standard deviation of the interval between the occurrence of events?
I have a server log in splunk and whenever a user login it will store a record with the username and timestamp.
Now I want to calculate the average and standard deviation for the time interval between two consecutive login. Is there a way to do so in splunk? I have more than 5000 users. Earliest and latest do not work as I want to calculate the time interval between each consecutive logins.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you didn't need to do the by user part, you could also consider autoregress and delta.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As DalJeanis answer, you can use stats avg(deltatime) and stdev(deltatime) by userId.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One other way of doing this is
base search
| sort 0 userid,_time
| streamstats range(_time) as timedelta window=2 by userid
| eval timedelta =if(timedelta=0,null,timedelta)
| stats avg(timedelta) as avgtimedelta stdev(timedelta) as stdevtimedelta by userid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your search that gets the records you are interested in, with _time and userid.
| sort 0 _time userid
| streamstats current=f last(_time) as prevtime by userid
| eval deltatime= _time - prevtime
Now you have the difference in time between each pair of user logins. The first for each userid will be null, because prevtime will have no value. Then this will give you your average and standard deviation.
| stats avg(deltatime) as avgdelta stdev(deltatime) as stdevdelta by userid
Myself, I would probably want to eliminate weekends from consideration, so I might kill any deltatime that was more than, say, 36 hours. However, such data cleaning will depend entirely on your use case; if your users tend to log on every few days, rather than several times a day, you should leave the data as is, or decide for yourself what makes sense.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
