Hi team,
I m trying to find network traffic of a user and classify it as high or normal based on avg and stdev calculations
QUERY :
index="pan_logs" sourcetype="pan:traffic" user!=unknown | stats sum(bytes) as bytes by _time,user |eval MB = round(bytes/1024/1024,4)|bin span=1d _time | stats avg(MB) as avg stdev(MB) as stdv by user,_time|eval avg = round(avg,4) , stdv = round(stdv,4) | eval Volume_Type= if((avg+2*stdv)> MB , "HIGH" , "NORMAL
However the avg and stdev calculation is wrong here as it collects per day basis and not when i keep it for last 7 days.
... View more