Hi,

I have the following query:
| tstats count where index=dns earliest=-90d latest=now() groupby _time span=1d
| fields _time count
| rename _time as hour
| eval hour=strftime(hour,"%Y-%m-%d %H:%M:%S")
| fields hour count
| fields - _*
| eventstats avg(count) as avg_count
| eval k=(pow(avg_count,2))/(var(count)-avg_count)
| eval outlier=if(count>(avg_count+k*pow(avg_count,2)),1,0)
| eval predicted_outlier=if(outlier=1,"anomaly","normal")
| eval actual_outlier=if(day>relative_time(now(),"-7d"), "anomaly", "normal")
| eval true_positives=if(predicted_outlier="anomaly" AND actual_outlier="anomaly", 1, 0)
| eval false_positives=if(predicted_outlier="anomaly" AND actual_outlier="normal", 1, 0)
| eval false_negatives=if(predicted_outlier="normal" AND actual_outlier="anomaly", 1, 0)
| eval true_negatives=if(predicted_outlier="normal" AND actual_outlier="normal", 1, 0)
| stats sum(true_positives) as TP, sum(false_positives) as FP, sum(false_negatives) as FN, sum(true_negatives) as TN
| eval accuracy=(TP+TN)/(TP+FP+FN+TN)
| eval precision=TP/(TP+FP)
| eval recall=TP/(TP+FN)

However, the this statement is not working as the var command does not work without stats and I cannot use stats in a command by itself as I want to apply this k formula for each daily count. Can you please help?


Many thanks,