Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can't I generate data table of statistics?

POR160893
Builder
‎02-10-2023 06:33 AM

Hi,

My overall goal is to create a resulting data table with headings including HourOfDay, BucketMinuteOfHour, DayOfWeek, and source, as well as creating an upperBound and lowerBound.

My current query is as follows:

index="akamai" sourcetype=akamaisiem
| eval time = _time
| eval time=strptime(time, "%Y-%m-%dT%H:%M:%S")
| bin time span=15m
| eval HourOfDay=strftime(time, "%H")
| eval BucketMinuteOfHour=strftime(time, "%M")
| eval DayOfWeek=strftime(time, "%A")
| stats avg(count) as avg stdev(count) as stdev by HourOfDay,BucketMinuteOfHour,DayOfWeek,source
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| fields lowerBound,upperBound,HourOfDay,BucketMinuteOfHour,DayOfWeek,source
| outputlookup state.csv

However, it produces zero results. Can you please help?
I am using the following article as a guide as this is for an anomaly detection project: https://www.splunk.com/en_us/blog/platform/cyclical-statistical-forecasts-and-anomalies-part-1.html


I appreciate any help.

tHANKS!

Labels (8)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2023 07:19 AM

Hi @POR160893,

review the time definitions:

index="akamai" sourcetype=akamaisiem
| bin _time span=15m
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| stats avg(count) as avg stdev(count) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek source
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| fields lowerBound,upperBound,HourOfDay,BucketMinuteOfHour,DayOfWeek,source
| outputlookup state.csv

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2023 07:28 AM

Hi @POR160893,

this search works if you have the "count" field, but also in your search you haven't it.

How do you want to calculate avg and std_dev?

Ciao.

Giuseppe

0 Karma
Reply

POR160893
Builder
‎02-10-2023 07:47 AM

OK.

So, the count is supposed to be the number of HTTP requests for a given day.

So, I set the count variable with the following then:
| timechart span=1d count(httpMessage.requestId) as count

Thanks!

0 Karma
Reply

POR160893
Builder
‎02-10-2023 07:55 AM

Sadly, it did not solve my issue as my current query where count is set outputs no fields.
The query is as such:
index="akamai" sourcetype=akamaisiem
| timechart span=1d count(httpMessage.requestId) as count
| bin _time span=15m
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| stats avg(count) as avg stdev(count) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek source
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2))
| fields lowerBound,upperBound,HourOfDay,BucketMinuteOfHour,DayOfWeek,source
| table lowerBound,upperBound,HourOfDay,BucketMinuteOfHour,DayOfWeek,source


Let me know what you think or where I went wrong please?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-10-2023 07:53 AM

Hi @POR160893,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

POR160893
Builder
‎02-10-2023 07:22 AM

Hey, 

This query helped but I still do not get the upper and lower bounds in the final output:

POR160893_0-1676042515034.png

 



What do you think?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...