Hi,
This might be trivial question, but I am having a hard time to figure it out. Any help is greatly appreciated.
Here is the problem:
I have logs from remote VPN servers reporting the sent and received data in each session for each user.
I am trying to calculate the average of the data sent, and standard deviation over a month, then add the average and twice the calculated standard deviation together as the alerting threshold for the user.
However, I cannot add the value of the average and the stddev !!
Here is the SPL I have developed for this:
eventtype=RAS AND (EventCode=20272) AND ConnectionID!="NA" AND UserID="XYZ"
| dedup ConnectionID
| bucket _time span=1mon@mon
| stats sum(Data_Sent) as Monthly_Total_Sent stdev(Data_Sent) as Monthly_Sent_Stdev by _time UserID
| eval Monthly_Avg_Sent(MB)=round(Monthly_Avg_Sent/(1024*1024),2), Monthly_Sent_Stdev(MB)=round(Monthly_Sent_Stdev/(1024*1024),1),Abnormal_Sent_Limit(MB)=2*Monthly_Sent_Stdev(MB)+Monthly_Avg_Sent(MB)
However, Splunk errors out on the Abnormal_Sent_Limit(MB) calculation!!
The error i see is:
Error in 'eval' command: The
'monthly_sent_stdev' function is
unsupported or undefined.
I also have tried Values() but with the same results. I mean :
Abnormal_Sent_Limit(MB)=2*values(Monthly_Sent_Stdev(MB))+values(Monthly_Avg_Sent(MB))
I am pretty sure i am doing something wrong, but I don't know what that is!!
... View more