Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alert if value is greater than 2xSTDEV

bcusick
Communicator
‎01-28-2014 08:56 AM

Hi,

I am trying to find outliers by using the idea of a Bell Curve. I have a search that provides stats on mean, standard deviation, and 2 standard deviations. The idea is to get an alert if the value of a field (totalMB) is greater than 2 standard deviations.

source=x action="1" | eval megabytes=bytes_out/1024/1024 | stats sum(megabytes) as totalMB by src_user | stats mean(totalMB) stdev(totalMB) as "deviation" | eval outlier=deviation*2 | where totalMB > outlier | table src_user totalMB

When I leave out | where totalMB < outlier | table src_user totalMB , the math checks out for mean and standard deviations. But I cannot get the fields to pop up (whether I do less than or greater than the falue outlier. There are matching results, but the search returns "0 results found".

Any help is appreciated.

Thanks,

B

0 Karma
Reply

linu1988
Champion
‎01-28-2014 09:28 AM

Second stats will take out your totalMB field. 

source=x action="1" | eval megabytes=bytes_out/1024/1024 | stats sum(megabytes) as totalMB by src_user |append[|search source=x action="1" | eval megabytes=bytes_out/1024/1024 | stats sum(megabytes) as totalMB by src_user | stats mean(totalMB) stdev(totalMB) as "deviation" by src_user] | eval outlier=deviation*2 | stats Values(totalMB) as totalMB,Values(outlier) as outlier by src_user|where totalMB > outlier | table src_user totalMB
0 Karma
Reply

bcusick
Communicator
‎01-28-2014 01:33 PM

when setting the deviation by user, this gives a stdev of 0 for each user, which isn't what we're trying to do. I changed this portion to "stats mean(totalMB) by user stdev(totalMB) as "deviation", but still no results. If there's an easy way to see the current value of deviation or outlier, that would help also

0 Karma
Reply

linu1988
Champion
‎01-28-2014 10:19 AM

Updated it

0 Karma
Reply

bcusick
Communicator
‎01-28-2014 10:18 AM

When I run this search, I get an error. "Unknown search command 'source'."

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...