What is the moving window for in finding outliers?

sssignals · ‎07-15-2019

Hi Splunkers,

I referenced Splunk documentation on finding outliers below.

Why is there a need for moving a window? My use case is that I collect stats say port loading factor over the last 5 mins and calculate upper threshold ie. mean+3*sigma. If any stats in this 5 mins goes above the upper threshold, I declare that it is an outlier. Then I repeat everything for the stats that comes in the next 5mins. So there is no moving window. Am I doing it right? Or I need the moving window. Thanks for your advice.

| inputlookup quote.csv 
 | head 500 
 | eval _time=(round(strptime(time, "%Y-%m-%d %H:%M:%SZ")))
 | streamstats window=100 avg("price") as 
   avg stdev("price") as stdev 
 | eval lowerBound=(avg-stdev*2) 
 | eval upperBound=(avg+stdev*2) 
 | eval isOutlier=if('price' < lowerBound 
   OR 'price' > upperBound, 1, 0)

jraso · ‎10-23-2019

I think that if you are using streamstats window=100 to compute avg and stdev, your moving window is exactly 100 events. This should correspond with your 5 minutes window.
In case you want to use all data as reference for finding outliers from avg and stdev, you should use eventstats to compute avg and stdev of all data in your search.

What is the moving window for in finding outliers?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

What is the moving window for in finding outliers?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers