Splunk Search

Standard Deviation of Timechart


I'm working on a chart which will map a baseline of existing data. The search I am currently using is as follows.

sourcetype=pan_threat severity!=informational | eventstats count as totalcount | eval threshold=(totalcount/25) | timechart span=1h count, first(threshold) as "Maximum Threshold"

That works great for getting the average charting. I now also want to take the Standard Deviation of the timechart of the count, and map that as well. Anyone have any idea how to do that? I've tried a second eventstats, which throws me back some very weird standard deviations on the data itself.

0 Karma

Path Finder

Of course this is going to sound like a shameless plug, but honestly, the easiest way to do this is with the Prelert Anomaly Detective app.

Using the QuickMode feature, you can literally put this search in:

sourcetype=pan_threat severity!=informational | timechart count

and Anomaly Detective will automatically take care of baselining the normal occurrence rate and will offer you the ability to alert on significant deviations in the data (and if you'd like, also on-going, running in the background as well). How it works video: http://support.prelert.com/customer/portal/articles/1417340-quickmode

By the way, don't get caught up in trying to use standard deviation as your approach to express anomalousness. Standard deviation assumes that the data samples (in this case, "counts of events") conforms to a nice, symmetrical Gaussian Bell curve. In most cases, counts of things are better modeled by Poisson curves. Anomaly Detective automatically figures out the best statistical model for your data to maximize accuracy and minimize false alerting.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...