Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Standard Deviation of Timechart

tfitzgerald15
Explorer
‎10-24-2013 12:09 PM

I'm working on a chart which will map a baseline of existing data. The search I am currently using is as follows.

sourcetype=pan_threat severity!=informational | eventstats count as totalcount | eval threshold=(totalcount/25) | timechart span=1h count, first(threshold) as "Maximum Threshold"

That works great for getting the average charting. I now also want to take the Standard Deviation of the timechart of the count, and map that as well. Anyone have any idea how to do that? I've tried a second eventstats, which throws me back some very weird standard deviations on the data itself.

0 Karma
Reply

prelert
Path Finder
‎10-24-2014 12:37 PM

Of course this is going to sound like a shameless plug, but honestly, the easiest way to do this is with the Prelert Anomaly Detective app.

Using the QuickMode feature, you can literally put this search in:

sourcetype=pan_threat severity!=informational | timechart count

and Anomaly Detective will automatically take care of baselining the normal occurrence rate and will offer you the ability to alert on significant deviations in the data (and if you'd like, also on-going, running in the background as well). How it works video: http://support.prelert.com/customer/portal/articles/1417340-quickmode

By the way, don't get caught up in trying to use standard deviation as your approach to express anomalousness. Standard deviation assumes that the data samples (in this case, "counts of events") conforms to a nice, symmetrical Gaussian Bell curve. In most cases, counts of things are better modeled by Poisson curves. Anomaly Detective automatically figures out the best statistical model for your data to maximize accuracy and minimize false alerting.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...