Hi, I'm trying to calculate the standard deviation for range of time to create an alert an know when the total of transactions are below 3x the standard deviation it trigger and alert.
index=data
|bucket _time span=5m
|dedup field28
|stats count as Total_transactions, stdev(Total) as Dev by _time, field37
|rename field37 as Source
|table _time, Source, Total_transactions, Dev
Assuming a historical baseline from a source that's stable on five minute intervals (add earliest and latest values to cover your baseline time range):
index=data
| bin time span=5m
| stats count by _time
| eval time_bucket=stftime(_time, "%M")
| stats avg(count) as avg_count stdev(count) as stdev_count by time_bucket
| eval lower_control_limit=avg_count-3*stdev_count
| outputlookup baseline.csv
you can compare the current measurement to the threshold in a search that executes on */5 * * * *:
index=data earliest=-5m@m latest@m
| bin time span=5m
| stats count by _time
| eval time_bucket=strftime(_time, "%M")
| lookup baseline.csv time_bucket output lower_control_limit
| where count<lower_control_limit