Knowledge Management

Help with Stats and time buckets

mpasha
Path Finder

good day everyone,
I have been wrestling with a rather trivial task in Splunk but have not been able to progress with the task at all.
I have a summary index that records number of DNS queries per hour. I have attached a csv file with the content: link text

here is the requirement:
I need to have an aggregate of DNS query counts per day which i can calculte with no problem:

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
| bucket _time span=1d@d
| timechart sum(count) as Daily_DNSQuery

now the challenging part is i want to calculate daily average for the past two month and also standard deviation of the daily count for the same time frame "past 2 months" "Keep in mind the summary index minimum time value is 1hr. and lastly i want to have a chart with the daily values with average and standard deviation superimposed on a chart.

Any help is greatly appreciated.

Thanks,

0 Karma
1 Solution

mpasha
Path Finder

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

View solution in original post

0 Karma

mpasha
Path Finder

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

View solution in original post

0 Karma

somesoni2
Revered Legend

Does following doesn't give you right values?

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery stdev(count) as StandardDeviation

OR this

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery | eventstats stdev(Daily_DNSQuery) as StandardDeviation

mpasha
Path Finder

Awsome!!!!!
Thanks so much it is working the way it should.
Really appreciate your help Somesoni2.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!