Splunk Search

Alert if value is greater than 2xSTDEV

bcusick
Communicator

Hi,

I am trying to find outliers by using the idea of a Bell Curve. I have a search that provides stats on mean, standard deviation, and 2 standard deviations. The idea is to get an alert if the value of a field (totalMB) is greater than 2 standard deviations.

source=x action="1" | eval megabytes=bytes_out/1024/1024 | stats sum(megabytes) as totalMB by src_user | stats mean(totalMB) stdev(totalMB) as "deviation" | eval outlier=deviation*2 | where totalMB > outlier | table src_user totalMB

When I leave out | where totalMB < outlier | table src_user totalMB , the math checks out for mean and standard deviations. But I cannot get the fields to pop up (whether I do less than or greater than the falue outlier. There are matching results, but the search returns "0 results found".

Any help is appreciated.

Thanks,

B

0 Karma

linu1988
Champion

Second stats will take out your totalMB field.

source=x action="1" | eval megabytes=bytes_out/1024/1024 | stats sum(megabytes) as totalMB by src_user |append[|search source=x action="1" | eval megabytes=bytes_out/1024/1024 | stats sum(megabytes) as totalMB by src_user | stats mean(totalMB) stdev(totalMB) as "deviation" by src_user] | eval outlier=deviation*2 | stats Values(totalMB) as totalMB,Values(outlier) as outlier by src_user|where totalMB > outlier | table src_user totalMB
0 Karma

bcusick
Communicator

when setting the deviation by user, this gives a stdev of 0 for each user, which isn't what we're trying to do. I changed this portion to "stats mean(totalMB) by user stdev(totalMB) as "deviation", but still no results. If there's an easy way to see the current value of deviation or outlier, that would help also

0 Karma

linu1988
Champion

Updated it

0 Karma

bcusick
Communicator

When I run this search, I get an error. "Unknown search command 'source'."

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...