Splunk Search

How to calculate variance in an array?

dtakacssplunk
Explorer

I would like to create a column that tells me the variance for the array   

 

 

| makeresults 
| eval raw="1	session1	O1	S1	5 6 7 9#
2	session2	O2	S2	99 55 77 999#
3	session3	O1	S1	995 55 77 999#
4	session4	O1	S1	1 2 4 1#" 
| makemv raw delim="#" 
| mvexpand raw 
| rename raw as _raw 
| rex "(?<User>\S+)\s+(?<ClientSession>\S+)\s+(?<Organization>\S+)\s+(?<Section>\S+)\s+(?<downloadspeed_file1>\S+)\s+(?<downloadspeed_file2>\S+)\s+(?<downloadspeed_file3>\S+)\s+(?<downloadspeed_file4>\S+)" 
| eval downloadSpeedsArray=json_array(downloadspeed_file1, downloadspeed_file2, downloadspeed_file3, downloadspeed_file4)
| table User ClientSession Organization Section downloadspeed_file1, downloadspeed_file2, downloadspeed_file3, downloadspeed_file4 downloadSpeedsArray variance

 

 

can you please help me how to calculate this column.  Is the variance normalized across rows?

 

aa.png

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you'll need to write an external command for that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dtakacssplunk
Explorer

how do I do that?  I'm not familiar with external functions.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's too much to it to get into here, but Splunk has documentation on the subject.  See https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/createcustomsearchcmd/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...