We have data set which aggregated sessions with it's eventcount
for each event.
We are looking at setting up an alert for sessions where eventcount exceeded "normalcy".
For Bell-curved data we'd setup an alert for 2x or 3x STDEV. But in our case eventcount is not really Bell-curved - as it starts right away very high at low eventcount
and then gradually gets lower in this manner
x
x
xx
xxxx
xxxxxxxxxxxxxxx
Does Splunk has built-in ways to handle deviations for other types of non-Bell curved data sets?
You're very astute to recognize that using a "bell curve" Gaussian model (average and std. deviation) is not the most appropriate method to approach this. You could try the Prelert app (https://splunkbase.splunk.com/app/1306/) to detect anomalies instead - it uses machine learning to automatically pick an appropriate probability distribution that best models your data, thus giving more accuracy to outlier detection.
Check out Splunk's "cluster" command (I assume you have already tried the "stdev" function of the "stats" command).