Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to lower threshold to 15 standard deviation below the mean, and upper to 15 above the mean?

majilan1
Path Finder
‎07-06-2022 06:12 PM

Hi Splunkers,

This may be easy, but I'm not able to solve it, if anyone can help.

I want to set a lower threshold to 15 standard deviation below the mean, and the upper threshold to 15 standard deviation above the mean, but I'm not sure how to implement that. 

Thanks!

 So this is what I have: 

 index=X  sourcetype=Y  source=metrics.kv_log  appln_name IN ("FEED_FILE_ROUTE", "FEED_INGEST_ROUTE")  this_hour="*"

| bin span=1h  _time

| stats latest(this-hour) AS Volume BY appln_name, _time

| eval day_of_week=strftime(_time,"%A"), hour=strftime(_time,"%H")

| lookup mt_expected_processed_volume.csv name as appln_name, day_of_week, hour outputnew avg_volume, stdev_volume
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-10-2022 01:43 AM

The issue you may have with out of bounds data is that your mean average and standard deviation are imported from your csv file and may or may not relate to the actual data you are evaluating. You could try recalculating your mean and standard deviation to get a better understanding of what an outlier might be. Having said that, you might want to consider using the median (although you might want to bucket the volumes first) and consider the variance from the median instead, to identify outliers.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2022 10:49 PM

Try something like this

| where Volume > avg_volume - (stdev_volume * 15) AND Volume < avg_volume + (stdev_volume * 15)
0 Karma
Reply
Solved! Jump to solution

majilan1
Path Finder
‎07-07-2022 06:22 AM

Thanks ITWhisperer,

I don't actually want to filter right away, what I want to do is that I want to add a column for upper threshold and lower threshold and then a third column for if the Volume is within the threshold or not. 

And thanks again for always helping !

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 06:57 AM 
| eval lower_bound = avg_volume - (stdev_volume * 15)
| eval upper_bound = avg_volume + (stdev_volume * 15)
| eval in_bounds = if (Volume > lower_bound AND Volume < upper_bound, "true", "false")
0 Karma
Reply
Solved! Jump to solution

majilan1
Path Finder
‎07-07-2022 11:47 AM

Thanks again, IT Whisperer !

This works perfect, except I want to grab a sum of in_bound= true VS in_bound=false for each app.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-07-2022 12:14 PM 
| eval in_bounds = if (Volume > lower_bound AND Volume < upper_bound, 1, 0)
| eval out_bounds = if (Volume > lower_bound AND Volume < upper_bound, 0, 1)
Reply
Solved! Jump to solution

majilan1
Path Finder
‎07-08-2022 08:24 AM

So I would have triggered the alert many times compared to the number of hours where it wouldn't have triggered.

How to play around with the standard deviation multiplication factor with (currently 15) to see if I can reduce the number of outbounds to inbounds.

FYI:   app                                                     sum(in_bounds)                                                             SUM(OUT_BOUNDS)

            Feed_file                                            12                                                                                            701

             Feed_ingest                                     199                                                                                              501                                                                         

                                                                                                                                                                      

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-10-2022 01:43 AM

The issue you may have with out of bounds data is that your mean average and standard deviation are imported from your csv file and may or may not relate to the actual data you are evaluating. You could try recalculating your mean and standard deviation to get a better understanding of what an outlier might be. Having said that, you might want to consider using the median (although you might want to bucket the volumes first) and consider the variance from the median instead, to identify outliers.

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2022 09:25 AM

Standard deviation from mean works well with normal distributions - the fact that you have so many outside 15 standard deviations would seem to suggest that you do not have a normal distribution. Do you know what the distribution looks like?

0 Karma
Reply
Solved! Jump to solution

majilan1
Path Finder
‎07-08-2022 09:32 AM

Thanks for the follow-up. What is the distribution looks like, please?

Thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2022 09:44 AM

Depending on the values of your Volume field, you could bucket them into 100s (for example) and the count the frequencies of the various volume ranges

| bin Volume span=100s
| stats count by Volume
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...