Solved: Help with Stats and time buckets

mpasha · ‎08-16-2019

good day everyone,
I have been wrestling with a rather trivial task in Splunk but have not been able to progress with the task at all.
I have a summary index that records number of DNS queries per hour. I have attached a csv file with the content: link text

here is the requirement:
I need to have an aggregate of DNS query counts per day which i can calculte with no problem:

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
| bucket _time span=1d@d
| timechart sum(count) as Daily_DNSQuery

now the challenging part is i want to calculate daily average for the past two month and also standard deviation of the daily count for the same time frame "past 2 months" "Keep in mind the summary index minimum time value is 1hr. and lastly i want to have a chart with the daily values with average and standard deviation superimposed on a chart.

Any help is greatly appreciated.

Thanks,

mpasha · ‎08-16-2019

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

View solution in original post

mpasha · ‎08-16-2019

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

somesoni2 · ‎08-16-2019

Does following doesn't give you right values?

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery stdev(count) as StandardDeviation

OR this

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery | eventstats stdev(Daily_DNSQuery) as StandardDeviation

mpasha · ‎08-16-2019

Awsome!!!!!
Thanks so much it is working the way it should.
Really appreciate your help Somesoni2.

Help with Stats and time buckets

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...