Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How does this search from Splunk documentation work to calculate the percentage of outliers?

Shisa
Explorer
‎03-30-2015 09:25 PM

I'd like to understand the mathematical meaning of the below search on documentation. Is this my understanding right that it calculates the outliers of 4.6% up or down based on the normal distribution?

sourcetype=access_* | eval URILen = len(useragent) | eventstats avg(URILen) as AvgURILen, stdev(URILen) as StdDevURILen| where URILen > AvgURILen+(2*StdDevURILen)

Use the stats command and functions: http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usethestatscommandandfunctions

If I want to get the 0.3% outliers, can I do this by just changing the condition like this? 

... | where URILen > AvgURILen+(3*StdDevURILen)
Tags (3)
0 Karma
Reply

ngatchasandra
Builder
‎03-31-2015 08:32 AM

Hi Shisa,
This search returns events that macth URILen's average and URILen's sample standard deviation where URILen > AvgURILen+(2*StdDevURILen) .

If i understand your problems, you want to return events where URILen > AvgURILen+(3*StdDevURILen) , this can be possible but, in your case, when i run sourcetype=access_* | eval URILen = len(useragent) | eventstats avg(URILen) as AvgURILen, stdev(URILen) as StdDevURILen| where URILen > AvgURILen+(3*StdDevURILen)| table AvgURILen StdDevURILen| table AvgURILen StdDevURILen ,

i get results not found . This explain that in the first part of query, that is sourcetype=access_* | eval URILen = len(useragent) | eventstats avg(URILen) as AvgURILen, stdev(URILen) as StdDevURILen| table AvgURILen StdDevURILen URILen

which displays like follow, there is no values of URILen where we can have URILen > AvgURILen+(3*StdDevURILen). Thus, can't get results.

alt text

Preview file
55 KB
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...