Hello fellow splunkers, I would like to ask you something regarding the function that most of the alerts take to find outliers and so on, I was actually trying to find some information on my own,...
See more...
Hello fellow splunkers, I would like to ask you something regarding the function that most of the alerts take to find outliers and so on, I was actually trying to find some information on my own, but I never got a good explanation, basically, I am focusing on understanding the following, let's take as an example this query: tag=email | search src_user=*@mycompany.com| bucket _time span=1d | stats count by src_user, _time | stats count as num_data_samples max(eval(if(_time >= relative_time(now(), "-1d@d"), 'count',null))) as recent_count avg(eval(if(_time<relative_time(now(),"-1d@d"),'count',null))) as avg stdev(eval(if(_time<relative_time(now(),"-1d@d"),'count',null))) as stdev by src_user| where recent_count> (avg+stdev*2) AND num_data_samples>=7 What I am trying to understand is the purpose of the two continuing stats, I was reading that the first one is for obtaining a general number per day and the other one is for detecting how many times on that day the given user has been detected, but honestly, I had no a success, so I am kind of interested in understanding whether this due to this is like the base of having a good baseline. Thanks so much,