I think the simplest upper control / lower control limits are probably accomplished by using the perc##() percentile function of the timechart command.
sourcetype=access_combined
| timechart avg(bytes) as average, perc75(bytes) as upper_control_limit, perc25(bytes) as lower_control_limit
However, that is not really what you asked for. What you asked for more directly might look like this:
sourcetype=access_combined
| streamstats avg(bytes) as average, perc75(bytes) as upper_control_limit, perc25(bytes) as lower_control_limit
| table _time bytes average upper* lower*
Of course, you use use eval to set static thresholds as well.
sourcetype=access_combined
| eval upper = 3000
| eval lower = 1000
| streamstats avg(bytes) as average
| table _time bytes average upper lower
To go even further, directly as that article suggests - though note it isn't necessarily the only way to do this, would be something like this...
sourcetype=access_combined
| eventstats avg(bytes) as average, stdev(bytes) as stdev
| eval upper = average+(stdev*3)
| eval lower = average-(stdev*3)
| table _time bytes upper lower
I think the simplest upper control / lower control limits are probably accomplished by using the perc##() percentile function of the timechart command.
sourcetype=access_combined
| timechart avg(bytes) as average, perc75(bytes) as upper_control_limit, perc25(bytes) as lower_control_limit
However, that is not really what you asked for. What you asked for more directly might look like this:
sourcetype=access_combined
| streamstats avg(bytes) as average, perc75(bytes) as upper_control_limit, perc25(bytes) as lower_control_limit
| table _time bytes average upper* lower*
Of course, you use use eval to set static thresholds as well.
sourcetype=access_combined
| eval upper = 3000
| eval lower = 1000
| streamstats avg(bytes) as average
| table _time bytes average upper lower
To go even further, directly as that article suggests - though note it isn't necessarily the only way to do this, would be something like this...
sourcetype=access_combined
| eventstats avg(bytes) as average, stdev(bytes) as stdev
| eval upper = average+(stdev*3)
| eval lower = average-(stdev*3)
| table _time bytes upper lower
