Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use dynamically calculated threshold in ale...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I need to calculate the standard deviation value using previous 5mins of data and have to recalculate every 5 mins.. After getting the result, I need to use that calculated standard deviation value as a threshold value for upcoming data for 5mins. if the upcoming data is more than threshold, I need to trigger alert. How can I do about it?
Here is my search:
1. Calculate standard devi
source="tcp:9996" index="data" sourcetype="xml" earliest=-10m latest=-5m|stats avg(Ch3) as alpha stdev(Ch3) as sd|eval temp=sd|eval sigma=temp*3
2. check the value
source="tcp:9996" index="data" sourcetype="xml" streamstats current=false values(Ch3) as curVal |table _time curVal|where curVal>sigma
I do not know how to combine this 2 search as I cannot access sigma from search 2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
source="tcp:9996" index="data" sourcetype="xml" streamstats current=false values(Ch3) as curVal |table _time curVal|where curVal> [search source="tcp:9996" index="data" sourcetype="xml" earliest=-10m latest=-5m|stats stdev(Ch3) as sd |eval search=temp*3 | table search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
source="tcp:9996" index="data" sourcetype="xml" streamstats current=false values(Ch3) as curVal |table _time curVal|where curVal> [search source="tcp:9996" index="data" sourcetype="xml" earliest=-10m latest=-5m|stats stdev(Ch3) as sd |eval search=temp*3 | table search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Now I am able to get the results when I use |return $search]. However, the search in this bracket [search ...] does not refresh or update the standard devi result every 5 mins although I set the search criteria in Realtime unless I use the dashboard set 'auto refresh delay'. So is there any way that I can make it auto update by not using the dashboard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I am having an error "Error in 'where' command: Typechecking failed. The '>' operator received different types."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now when I try return search instead of table search, I get the following error:
"Error in 'where' command: The operator at '="0.069815009607701730"' is invalid." . looks like calculated value is returned.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
