Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Comparing Standard Deviations
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to write a report that returns any report types where the 1 hour average Duration has exceed the average + 2 Standard Deviations for a running 24 hours. How can I compare these values?
I have a query, but the 1 hour average isn't showing up:
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h latest=now| stats avg(Duration) as avg stdev(Duration) as standdev by ReportType | eval two = 2* standdev | eval avgts = avg + two | append [ search index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest=-1h latest=now | stats avg(Duration) as nowavg ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I have a question: what do you get when you run the two searches independently? That is, what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h latest=now| stats avg(Duration) as avg stdev(Duration) as standdev by ReportType | eval two = 2* standdev | eval avgts = avg + two
And what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest=-1h latest=now | stats avg(Duration) as nowavg
I think you will get a number of results for the first search (one for each ReportType) and only 1 result for the second search. I think I would do it this way
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as avg stdev(Duration) as standdev by ReportType |
eval avgts = avg + ( 2* standdev ) |
fields ReportType avgts |
join ReportType [ search
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -1h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as nowavg by ReportType |
fields ReportType nowavg ] |
where nowavg > avgts
Hope this works for you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, I have a question: what do you get when you run the two searches independently? That is, what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h latest=now| stats avg(Duration) as avg stdev(Duration) as standdev by ReportType | eval two = 2* standdev | eval avgts = avg + two
And what happens when you run
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest=-1h latest=now | stats avg(Duration) as nowavg
I think you will get a number of results for the first search (one for each ReportType) and only 1 result for the second search. I think I would do it this way
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -24h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as avg stdev(Duration) as standdev by ReportType |
eval avgts = avg + ( 2* standdev ) |
fields ReportType avgts |
join ReportType [ search
index="prd_common_events" AppCode="MMX" EventName="ReportRun" earliest = -1h@h latest=@h |
fields Duration ReportType |
stats avg(Duration) as nowavg by ReportType |
fields ReportType nowavg ] |
where nowavg > avgts
Hope this works for you!
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
