How to find Anomalies in my login data?


Looking for the exact query to find outliers or anomalies in my csv data using stddev in Splunk enterprise?

Fields from csv:  user, action, src, dest, host, _time 


Any help would be appreciated. 


Thanks in advance!



Labels (1)
Tags (1)
0 Karma


It is not possible to give you an "exact query" because you haven't provided sufficient detail as to what you are measuring.

0 Karma


I'm trying to measure login count or unusual number of logins from particular source. 

0 Karma


Still insufficient detail for an "exact query", so I will make some assumptions

``` Load your data ```
| inputlookup your.csv
``` Use hourly timeslices ```
| bin _time span=1h
``` Only keep login actions ```
| where action="LOGIN"
``` Count events by hour and source ```
| stats count by _time src
``` Find mean and standard deviation ```
| eventstats avg(count) as avg stddev(count) as stddev by src
``` Find deviation from mean in terms of standard deviation ```
| eval deviation=(count-avg)/stddev
``` Keep hours with sources deviating from their mean by more than 2 standard deviations ```
| where abs(deviation) > 2


Get Updates on the Splunk Community!

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...