Give this a try index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| eval Outlier_Eps=if(Eps > UpperBound OR Eps < LowerBound, Eps, null())
| table _time Outlier_Eps
... View more