Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Standard Deviation of Timechart

tfitzgerald15
Explorer
‎10-24-2013 12:09 PM

I'm working on a chart which will map a baseline of existing data. The search I am currently using is as follows.

sourcetype=pan_threat severity!=informational | eventstats count as totalcount | eval threshold=(totalcount/25) | timechart span=1h count, first(threshold) as "Maximum Threshold"

That works great for getting the average charting. I now also want to take the Standard Deviation of the timechart of the count, and map that as well. Anyone have any idea how to do that? I've tried a second eventstats, which throws me back some very weird standard deviations on the data itself.

0 Karma
Reply

prelert
Path Finder
‎10-24-2014 12:37 PM

Of course this is going to sound like a shameless plug, but honestly, the easiest way to do this is with the Prelert Anomaly Detective app.

Using the QuickMode feature, you can literally put this search in:

sourcetype=pan_threat severity!=informational | timechart count

and Anomaly Detective will automatically take care of baselining the normal occurrence rate and will offer you the ability to alert on significant deviations in the data (and if you'd like, also on-going, running in the background as well). How it works video: http://support.prelert.com/customer/portal/articles/1417340-quickmode

By the way, don't get caught up in trying to use standard deviation as your approach to express anomalousness. Standard deviation assumes that the data samples (in this case, "counts of events") conforms to a nice, symmetrical Gaussian Bell curve. In most cases, counts of things are better modeled by Poisson curves. Anomaly Detective automatically figures out the best statistical model for your data to maximize accuracy and minimize false alerting.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...