Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I compare count over two time periods?

daniel333
Builder
‎03-07-2017 03:10 PM

All,

Thought there was a one stop shop command for this, but I can't find it. Basically I just want an alert when I see a drop in count of events. Say I have 1stddev of change in 15 minutes? 

index=* app=clamav | stats count
0 Karma
Reply

DalJeanis
Legend
‎03-08-2017 02:35 PM

The exact code depends entirely on what you mean by -1 std dev of change in 15 minutes. Here are a couple of examples.

This will look across the last 2 hours and find any minute where the average count for the prior 15 minutes is 1 s.d. below the average across the prior 2 hours.

earliest=-2h index=* app=clamav 
| bin _time span=1m 
| stats count as mycount by _time 
| streamstats avg(mycount) as avgcount15, stdev(mycount) as stdevcount15 time_window=15m
| streamstats avg(mycount) as avgcount120, stdev(mycount) as stdevcount120 time_window=2h
| where avgcount15 < avgcount120 - stdevcount120

This code will find any 15-minute period (2:00-2:15, 2:15-2:30, etc) where the average for the period is 1 s.d. below the average across the prior 2 hours.

earliest=-2h index=* app=clamav 
| bin _time span=1m 
| stats count as mycount by _time 
| eventstats avg(mycount) as avgcount120, stdev(mycount) as stdevcount120
| bin _time span=15m
| stats avg(mycount) as mycount15, first(avgcount120) as avgcount120, first(stdevcount120) as stdevcount120 by _time
| where avgcount15 < avgcount120 - stdevcount120
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...