Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Proper Std Dev Generation

bnafziger
Engager
‎10-08-2012 10:20 AM

I am a newbie. I'd like an another user's opinion of my logic. Is this the proper syntax for generation of std dev? In particular, to show the prior 7 days of the std dev of total, successful and failed logins using a prior 30 day time span? This is crufted logic from several other answers. Thank you.

    [index source sourcetype]  %ASA-auth "AAA user authentication" earliest=-60d@d latest=now 
    | timechart span=60m count as total 
    count(eval(searchmatch("Successful"))) as success 
    count(eval(searchmatch("Rejected"))) as rejected
    | streamstats window=720 stdev(total) as stdevtotal mean(total) as meantotal
    | streamstats window=720 stdev(success) as stdevSuccess mean(success) as meanSuccess
    | streamstats window=720 stdev(rejected) as stdevRejected mean(rejected) as meanRejected
    | eval total = (total - meantotal) / stdevtotal 
    | eval success = (success - meanSuccess) / stdevSuccess
    | eval rejected = (rejected - meanRejected) / stdevRejected 
    | eval three = 3
    | fields _time total success rejected three
    | where _time > relative_time(now(),"-7d@d")
Tags (2)
0 Karma
Reply

richcollier
Path Finder
‎03-19-2013 07:39 AM

Hi bnafziger,

I'm not sure of your ultimate goal, but it looks as if you want to find "outliers" in events based upon "normal" historical behavior. The problem with using just plain old "average" and "std deviation" is that if the "model" of the data isn't a perfect Gaussian distribution (i.e. a "bell curve") , then using avg and stdev will yield misleading results.

An alternative approach is to do what the Prelert Anomaly Detective app does, which uses dynamic modeling to "fit" the data better and you'll get more accurate results. And, it's easy to use!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...