Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Stats and time buckets

mpasha
Path Finder
‎08-16-2019 01:39 PM

good day everyone,
I have been wrestling with a rather trivial task in Splunk but have not been able to progress with the task at all.
I have a summary index that records number of DNS queries per hour. I have attached a csv file with the content: link text

here is the requirement:
I need to have an aggregate of DNS query counts per day which i can calculte with no problem:

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
| bucket _time span=1d@d
| timechart sum(count) as Daily_DNSQuery

now the challenging part is i want to calculate daily average for the past two month and also standard deviation of the daily count for the same time frame "past 2 months" "Keep in mind the summary index minimum time value is 1hr. and lastly i want to have a chart with the daily values with average and standard deviation superimposed on a chart.

Any help is greatly appreciated.

Thanks,

dnsquery-count.zip
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mpasha
Path Finder
‎08-16-2019 02:37 PM

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mpasha
Path Finder
‎08-16-2019 02:37 PM

Somesoni2 has answered the question and it is working perfectly.
Thanks again Somesoni2.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-16-2019 02:11 PM

Does following doesn't give you right values?

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery stdev(count) as StandardDeviation

OR this

index=sum_dnsquery_count earliest=-2mon@mon latest=@d
 | bucket _time span=1d@d
 | timechart sum(count) as Daily_DNSQuery | eventstats stdev(Daily_DNSQuery) as StandardDeviation
Reply
Solved! Jump to solution

mpasha
Path Finder
‎08-16-2019 02:31 PM

Awsome!!!!!
Thanks so much it is working the way it should.
Really appreciate your help Somesoni2.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...