Splunk Search

Standard deviation in a period of time

edfigue
Engager

Hi, I'm trying to calculate the standard deviation for range of time to create an alert an know when the total of transactions are below 3x the standard deviation it trigger and alert. 

index=data
|bucket _time span=5m
|dedup field28
|stats count as Total_transactions, stdev(Total) as Dev by _time, field37
|rename field37 as Source
|table _time, Source, Total_transactions, Dev

Labels (1)
0 Karma

tscroggins
Influencer

@edfigue 

Assuming a historical baseline from a source that's stable on five minute intervals (add earliest and latest values to cover your baseline time range):

index=data
| bin time span=5m
| stats count by _time
| eval time_bucket=stftime(_time, "%M")
| stats avg(count) as avg_count stdev(count) as stdev_count by time_bucket
| eval lower_control_limit=avg_count-3*stdev_count
| outputlookup baseline.csv

you can compare the current measurement to the threshold in a search that executes on */5 * * * *:

index=data earliest=-5m@m  latest@m
| bin time span=5m
| stats count by _time
| eval time_bucket=strftime(_time, "%M")
| lookup baseline.csv time_bucket output lower_control_limit
| where count<lower_control_limit

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...