Hi team,
I m trying to find network traffic of a user and classify it as high or normal based on avg and stdev calculations
QUERY :
index="pan_logs" sourcetype="pan:traffic" user!=unknown | stats sum(bytes) as bytes by _time,user |eval MB = round(bytes/1024/1024,4)|bin span=1d _time | stats avg(MB) as avg stdev(MB) as stdv by user,_time|eval avg = round(avg,4) , stdv = round(stdv,4) | eval Volume_Type= if((avg+2*stdv)> MB , "HIGH" , "NORMAL
However the avg and stdev calculation is wrong here as it collects per day basis and not when i keep it for last 7 days.
Splunk has built in functionality to make this much easier. Try using "anomalies" and/or "anomalousvalue"
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Anomalies
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Anomalousvalue
Thanks for the response.However i am not sure of the threshold value to be set as it can change user to user hence i calculated it based on avg and stdev .i understand we can use streamstats command but i am unable to calculate avg for last 7 days as i had already bin for 1 day at start.