Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the moving window for in finding outliers?

sssignals
Path Finder
‎07-15-2019 08:40 AM

Hi Splunkers,

I referenced Splunk documentation on finding outliers below.

Why is there a need for moving a window? My use case is that I collect stats say port loading factor over the last 5 mins and calculate upper threshold ie. mean+3*sigma. If any stats in this 5 mins goes above the upper threshold, I declare that it is an outlier. Then I repeat everything for the stats that comes in the next 5mins. So there is no moving window. Am I doing it right? Or I need the moving window. Thanks for your advice.

| inputlookup quote.csv 
 | head 500 
 | eval _time=(round(strptime(time, "%Y-%m-%d %H:%M:%SZ")))
 | streamstats window=100 avg("price") as 
   avg stdev("price") as stdev 
 | eval lowerBound=(avg-stdev*2) 
 | eval upperBound=(avg+stdev*2) 
 | eval isOutlier=if('price' < lowerBound 
   OR 'price' > upperBound, 1, 0)
0 Karma
Reply

jraso
Explorer
‎10-23-2019 12:23 AM

I think that if you are using streamstats window=100 to compute avg and stdev, your moving window is exactly 100 events. This should correspond with your 5 minutes window.
In case you want to use all data as reference for finding outliers from avg and stdev, you should use eventstats to compute avg and stdev of all data in your search.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...