Re: how to find Anomalies in my login data

satyaallaparthi · ‎11-07-2022

Looking for the exact query to find outliers or anomalies in my csv data using stddev in Splunk enterprise?

Fields from csv: user, action, src, dest, host, _time

Any help would be appreciated.

Thanks in advance!

ITWhisperer · ‎11-07-2022

It is not possible to give you an "exact query" because you haven't provided sufficient detail as to what you are measuring.

satyaallaparthi · ‎11-07-2022

I'm trying to measure login count or unusual number of logins from particular source.

ITWhisperer · ‎11-07-2022

Still insufficient detail for an "exact query", so I will make some assumptions

``` Load your data ```
| inputlookup your.csv
``` Use hourly timeslices ```
| bin _time span=1h
``` Only keep login actions ```
| where action="LOGIN"
``` Count events by hour and source ```
| stats count by _time src
``` Find mean and standard deviation ```
| eventstats avg(count) as avg stddev(count) as stddev by src
``` Find deviation from mean in terms of standard deviation ```
| eval deviation=(count-avg)/stddev
``` Keep hours with sources deviating from their mean by more than 2 standard deviations ```
| where abs(deviation) > 2

How to find Anomalies in my login data?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!