Solved: How to compute the mean activity volume per field ...

pavanae · ‎10-27-2016

How to Compute the mean activity volume per user in each hour yesterday, and find the ones more than n standard deviations above the mean?

Note: Considering user as a field

Any ideas about writing a search which satisfies the above condition?

vasanthmss · ‎10-27-2016

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

V

View solution in original post

mgrosholz · ‎10-28-2016

By mean activity, I am assuming you mean the average.
| stats avg(count) by date_hour, user

For standard deviation you can try something like below. Replace "n" with your amount.
| eventstats stdev(count) as deviation | eval outlier=deviation*"n" | where count > outlier

vasanthmss · ‎10-27-2016

try something like this,,

base search | timechart span=1h mean(user) as mean, stdev(user) AS std | where std>10 AND mean>10

V

How to compute the mean activity volume per field in Splunk?

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?

Are you a member of the Splunk Community?

How to compute the mean activity volume per field in Splunk?

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?