Splunk Search

Cannot use Var stats function within Eval

POR160893
Builder

Hi,

I have the following query:
| tstats count where index=dns earliest=-90d latest=now() groupby _time span=1d
| fields _time count
| rename _time as hour
| eval hour=strftime(hour,"%Y-%m-%d %H:%M:%S")
| fields hour count
| fields - _*
| eventstats avg(count) as avg_count
| eval k=(pow(avg_count,2))/(var(count)-avg_count)
| eval outlier=if(count>(avg_count+k*pow(avg_count,2)),1,0)
| eval predicted_outlier=if(outlier=1,"anomaly","normal")
| eval actual_outlier=if(day>relative_time(now(),"-7d"), "anomaly", "normal")
| eval true_positives=if(predicted_outlier="anomaly" AND actual_outlier="anomaly", 1, 0)
| eval false_positives=if(predicted_outlier="anomaly" AND actual_outlier="normal", 1, 0)
| eval false_negatives=if(predicted_outlier="normal" AND actual_outlier="anomaly", 1, 0)
| eval true_negatives=if(predicted_outlier="normal" AND actual_outlier="normal", 1, 0)
| stats sum(true_positives) as TP, sum(false_positives) as FP, sum(false_negatives) as FN, sum(true_negatives) as TN
| eval accuracy=(TP+TN)/(TP+FP+FN+TN)
| eval precision=TP/(TP+FP)
| eval recall=TP/(TP+FN)

However, the this statement is not working as the var command does not work without stats and I cannot use stats in a command by itself as I want to apply this k formula for each daily count. Can you please help?


Many thanks,

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The eval command works with a single result at a time.  Therefore, there is no variance in any of the fields.  That's why var is valid only in stats (and a few other commands, but not eva).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The eval command works with a single result at a time.  Therefore, there is no variance in any of the fields.  That's why var is valid only in stats (and a few other commands, but not eva).

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...