Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why stdev returns zero
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why stdev returns zero
Hi there,
I'm working on this query:
index=checkin host="prod" earliest=-0d@d latest=now (description="Intento de checkin*" OR description="Checkin exitoso*") |transaction productId |
eval TotalOK=if(description=="Checkin exitoso", 1, 0) |
eval time=_time |
bucket time span=10m |
append [search index=checkin host="prod" earliest=-7d@d latest=-6d@d (description="Intento de checkin*" OR description="Checkin exitoso*") | transaction productId |
eval time=relative_time(_time,"+7d") |
bucket time span=10m |
eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ] |append [search index=checkin host="prod" earliest=-14d@d latest=-13d@d (description="Intento de checkin*" OR description="Checkin exitoso*") | transaction productId |
eval time=relative_time(_time,"+14d") |
bucket time span=10m |
eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]| append [search index=checkin host="prod" earliest=-21d@d latest=-20d@d (description="Intento de checkin*" OR description="Checkin exitoso*") | transaction productId |
eval time=relative_time(_time,"+21d") |
bucket time span=10m |
eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]|
eval theTime=strftime(time, "%F %H:%M %p") |
stats stdev(TotalOKlw) as STdesv sum(TotalOK) as CheckinToday sum(TotalOKlw) as TOTALOKlw by theTime | eval CheckinHist=(TOTALOKlw/3) | eval diferencia=CheckinHist-CheckinToday
I try to compare a historic average with an actual value, I need get the standar deviation for my historics values (3 values) and do some mathematical proportion with the diference to trigger an alarm. But the stdev give me zeros values.
What I'm doing wrong?
Thanks in advance
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this eval expression ...|eval TotalOKlw=if(description=="Checkin exitoso", 1, 0) ]|....do you have 0 or 1 values to TotalOKlw.
then when you make ...|stats stdev(TotalOKlw) as STdesv ...
it is nomal that you have STdesv=0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A value of "0" makes perfect sense to me. You individual field values will either be 0 or 1 due to the way you set them and my guess is that the actual values are either all 3 are 0 or all 3 are 1 which gives stdev=0.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Data Management Digest – May 2026
Index This | What is feather-light but cannot be held long?
.conf26 Registration is Live: Secure Your Early Bird Pass Now
