Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compute the mean activity volume per field in Splunk?

pavanae
Builder
‎10-27-2016 12:47 PM

How to Compute the mean activity volume per user in each hour yesterday, and find the ones more than n standard deviations above the mean?

Note: Considering user as a field

Any ideas about writing a search which satisfies the above condition?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎10-27-2016 01:52 PM

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

V

View solution in original post

Reply
Solved! Jump to solution

mgrosholz
Path Finder
‎10-28-2016 04:50 AM

By mean activity, I am assuming you mean the average.
| stats avg(count) by date_hour, user

For standard deviation you can try something like below. Replace "n" with your amount.
| eventstats stdev(count) as deviation | eval outlier=deviation*"n" | where count > outlier

0 Karma
Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎10-27-2016 01:52 PM

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

V
Reply
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...