Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Detect deviations over historical query

__________o7___
New Member
‎03-25-2014 08:39 PM

I have a query that looks like:

index=proxy filter_category="Blocked"
| eval hrmarker=strftime(_time, "%H")
| eval date=strftime(_time, "%m/%d") 
| eval weekday=strftime(_time, "%a") 
| stats dc(ip) AS "Counter" by hrmarker,date,weekday 
| stats avg(Counter) AS "Avg" stdev(Counter) AS "Stdev" by hrmarker,weekday

What I would like to do, is show all of the Day/Hours that were greater than 1 deviation from the norm, based on the Day of the week/Hour from the query.

Is there any way to do this without re-running the entire query?

If the query must be rerun, what is the best way to go about it?

Tags (2)
0 Karma
Reply

gauldridge
Path Finder
‎03-27-2014 08:32 PM

You need to add the value of Counter into your second stats:

| stats values(Counter) AS Counter avg(Counter) AS "Avg" stdev(Counter) AS "Stdev" by hrmarker,weekday

Then you can add an eval and a where clause to see your desired results:

| eval OverNorm=if(Counter>(Avg+Stdev),"yes","no") | where OverNorm="yes"

Alternatively, you could just do the comparison in the where clause and not have a flag for where it's over or not.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...