Splunk Search

Cannot use Var stats function within Eval



I have the following query:
| tstats count where index=dns earliest=-90d latest=now() groupby _time span=1d
| fields _time count
| rename _time as hour
| eval hour=strftime(hour,"%Y-%m-%d %H:%M:%S")
| fields hour count
| fields - _*
| eventstats avg(count) as avg_count
| eval k=(pow(avg_count,2))/(var(count)-avg_count)
| eval outlier=if(count>(avg_count+k*pow(avg_count,2)),1,0)
| eval predicted_outlier=if(outlier=1,"anomaly","normal")
| eval actual_outlier=if(day>relative_time(now(),"-7d"), "anomaly", "normal")
| eval true_positives=if(predicted_outlier="anomaly" AND actual_outlier="anomaly", 1, 0)
| eval false_positives=if(predicted_outlier="anomaly" AND actual_outlier="normal", 1, 0)
| eval false_negatives=if(predicted_outlier="normal" AND actual_outlier="anomaly", 1, 0)
| eval true_negatives=if(predicted_outlier="normal" AND actual_outlier="normal", 1, 0)
| stats sum(true_positives) as TP, sum(false_positives) as FP, sum(false_negatives) as FN, sum(true_negatives) as TN
| eval accuracy=(TP+TN)/(TP+FP+FN+TN)
| eval precision=TP/(TP+FP)
| eval recall=TP/(TP+FN)

However, the this statement is not working as the var command does not work without stats and I cannot use stats in a command by itself as I want to apply this k formula for each daily count. Can you please help?

Many thanks,

Labels (4)
0 Karma
1 Solution


The eval command works with a single result at a time.  Therefore, there is no variance in any of the fields.  That's why var is valid only in stats (and a few other commands, but not eva).

If this reply helps you, Karma would be appreciated.

View solution in original post


The eval command works with a single result at a time.  Therefore, there is no variance in any of the fields.  That's why var is valid only in stats (and a few other commands, but not eva).

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌 Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...