Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compute the mean activity volume per field in Splunk?

pavanae
Builder
‎10-27-2016 12:47 PM

How to Compute the mean activity volume per user in each hour yesterday, and find the ones more than n standard deviations above the mean?

Note: Considering user as a field

Any ideas about writing a search which satisfies the above condition?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎10-27-2016 01:52 PM

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

V

View solution in original post

Reply
Solved! Jump to solution

mgrosholz
Path Finder
‎10-28-2016 04:50 AM

By mean activity, I am assuming you mean the average.
| stats avg(count) by date_hour, user

For standard deviation you can try something like below. Replace "n" with your amount.
| eventstats stdev(count) as deviation | eval outlier=deviation*"n" | where count > outlier

0 Karma
Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎10-27-2016 01:52 PM

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

V
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!