Splunk Search

How do I calculate the square root of a summed field?

steenbergend
New Member

Hello,

I'm trying to solve for a standard error formula in the number of observations I have for all hbss dlp events. The formula I'm interested in solving for is:

Standard Error = Standard Deviation / square root of number of observations

index=hbss sourcetype=hbss_dlp* | stats sum(Evidence Count) <- This gives me a number

The below search gives me an error. I know I'm supposed to use the stdev with the eval command but was unable to get that rolling. How can I calculate the standard deviation and the square root of a summed field and then use them both in a formula for an even newer field?

index=hbss sourcetype=hbss_dlp* | stats sum(Evidence Count) as "Total Files Burned" stdev(sum(Evidence Count))/sqrt(sum(Evidence Count))

Tags (3)
0 Karma
1 Solution

acharlieh
Influencer

If I'm understanding the scenario correctly, If we're consider each event with a non_null "Evidence Count" field as an observation of our population, then we can calculate the standard deviation of the Evidence Count field, and count of observations as outputs of the stats command, then pipe that to eval to finish the calculation:

.... | stats stdev(Evidence Count) as stdev count(Evidence Count) as count | eval error = stdev / sqrt(count)

Is this what you're looking for or is my interpretation a bit off here?

View solution in original post

0 Karma

acharlieh
Influencer

If I'm understanding the scenario correctly, If we're consider each event with a non_null "Evidence Count" field as an observation of our population, then we can calculate the standard deviation of the Evidence Count field, and count of observations as outputs of the stats command, then pipe that to eval to finish the calculation:

.... | stats stdev(Evidence Count) as stdev count(Evidence Count) as count | eval error = stdev / sqrt(count)

Is this what you're looking for or is my interpretation a bit off here?

0 Karma

steenbergend
New Member

I do have a non-null "Evidence Count" that shows the number of files that were burned to a CD for one given event. I want to sum that number, hence sum(Evidence Count) or number of files burned. The count(Evidence Count) sums the number of individual events I think. When I put these two stats in my search I got two different numbers. Which is confusing because it seems count and sum should do the same thing.

Although the eval error syntax did calculate the formula and give me a number. Brilliant! Getting closer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...