Solved: Help with Stats and time buckets

mpasha · ‎08-16-2019

good day everyone,
I have been wrestling with a rather trivial task in Splunk but have not been able to progress with the task at all.
I have a summary index that records number of DNS queries per hour. I have attached a csv file with the content: link text

here is the requirement:
I need to have an aggregate of DNS query counts per day which i can calculte with no problem:

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
| bucket _time span=1d@d
| timechart sum(count) as Daily_DNSQuery

now the challenging part is i want to calculate daily average for the past two month and also standard deviation of the daily count for the same time frame "past 2 months" "Keep in mind the summary index minimum time value is 1hr. and lastly i want to have a chart with the daily values with average and standard deviation superimposed on a chart.

Any help is greatly appreciated.

Thanks,

mpasha · ‎08-16-2019

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

View solution in original post

mpasha · ‎08-16-2019

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

somesoni2 · ‎08-16-2019

Does following doesn't give you right values?

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery stdev(count) as StandardDeviation

OR this

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery | eventstats stdev(Daily_DNSQuery) as StandardDeviation

mpasha · ‎08-16-2019

Awsome!!!!!
Thanks so much it is working the way it should.
Really appreciate your help Somesoni2.

Help with Stats and time buckets

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk