Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Detect deviations over historical query

__________o7___
New Member
‎03-25-2014 08:39 PM

I have a query that looks like:

index=proxy filter_category="Blocked"
| eval hrmarker=strftime(_time, "%H")
| eval date=strftime(_time, "%m/%d") 
| eval weekday=strftime(_time, "%a") 
| stats dc(ip) AS "Counter" by hrmarker,date,weekday 
| stats avg(Counter) AS "Avg" stdev(Counter) AS "Stdev" by hrmarker,weekday

What I would like to do, is show all of the Day/Hours that were greater than 1 deviation from the norm, based on the Day of the week/Hour from the query.

Is there any way to do this without re-running the entire query?

If the query must be rerun, what is the best way to go about it?

Tags (2)
0 Karma
Reply

gauldridge
Path Finder
‎03-27-2014 08:32 PM

You need to add the value of Counter into your second stats:

| stats values(Counter) AS Counter avg(Counter) AS "Avg" stdev(Counter) AS "Stdev" by hrmarker,weekday

Then you can add an eval and a where clause to see your desired results:

| eval OverNorm=if(Counter>(Avg+Stdev),"yes","no") | where OverNorm="yes"

Alternatively, you could just do the comparison in the where clause and not have a flag for where it's over or not.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...