Hello,

I am trying to create a splunk alert to trigger when it detects an anomaly in the firewall logs based on IDS signature.

I created a pretty good graph that would work well in a dasboard, but I need it to populate a table or stats on when a outlier is found and which signature it is.

This is what I have so far:

index="firewall" sourcetype="threat" tag=attack action=allowed
| bin _time span=4h
| eventstats count(signature) as "Count" by _time
| eventstats values(Count) as valu
| eventstats count(valu) as help by _time
| eventstats median(Count) as med
| eval newValue = abs(Count-med)
| eventstats median(newValue) as medianAbsDev by signature
| eval upper = med+(medianAbsDev*1.1)
| eval lower = 0
| eval isOutlier=if(Count < lower OR Count > upper, 1,0)
| timechart count span=1h count(signature) as CountOfIndicator, eval(values(upper)) as upperl, eval(values(lower)) as lowerl, eval(values(isOutlier)) as Outliers by signature usenull=f useother=f
|filldown

I just need to be able to identify the outliers in a table so I can have it generate an alert when the query has results.