I am trying to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads. I have written a search which kind of works but I get multiple entries for applications and can't find a way to group them together. The search I have come up with is below. Any help would be appreciated!
index=main host=ts01 source="stream:Splunk_Tcp" NOT dest_ip="192.168.*"
| rename "sum(bytes_out)" AS "bytes_out"
| eventstats avg("bytes_out") as avg stdev("bytes_out") as stdev
| eval lowerBound=(avg-stdev*2)
| eval upperBound=(avg+stdev*2)
| eval isOutlier=if('bytes_out' > 'upperBound', 1, 0)
| table "app" "isOutlier" "bytes_out" "stdev" "avg"
... View more