- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I calculate the square root of a summed fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to solve for a standard error formula in the number of observations I have for all hbss dlp events. The formula I'm interested in solving for is:
Standard Error = Standard Deviation / square root of number of observations
index=hbss sourcetype=hbss_dlp* | stats sum(Evidence Count) <- This gives me a number
The below search gives me an error. I know I'm supposed to use the stdev with the eval command but was unable to get that rolling. How can I calculate the standard deviation and the square root of a summed field and then use them both in a formula for an even newer field?
index=hbss sourcetype=hbss_dlp* | stats sum(Evidence Count) as "Total Files Burned" stdev(sum(Evidence Count))/sqrt(sum(Evidence Count))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I'm understanding the scenario correctly, If we're consider each event with a non_null "Evidence Count" field as an observation of our population, then we can calculate the standard deviation of the Evidence Count field, and count of observations as outputs of the stats command, then pipe that to eval to finish the calculation:
.... | stats stdev(Evidence Count) as stdev count(Evidence Count) as count | eval error = stdev / sqrt(count)
Is this what you're looking for or is my interpretation a bit off here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I'm understanding the scenario correctly, If we're consider each event with a non_null "Evidence Count" field as an observation of our population, then we can calculate the standard deviation of the Evidence Count field, and count of observations as outputs of the stats command, then pipe that to eval to finish the calculation:
.... | stats stdev(Evidence Count) as stdev count(Evidence Count) as count | eval error = stdev / sqrt(count)
Is this what you're looking for or is my interpretation a bit off here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have a non-null "Evidence Count" that shows the number of files that were burned to a CD for one given event. I want to sum that number, hence sum(Evidence Count) or number of files burned. The count(Evidence Count) sums the number of individual events I think. When I put these two stats in my search I got two different numbers. Which is confusing because it seems count and sum should do the same thing.
Although the eval error syntax did calculate the formula and give me a number. Brilliant! Getting closer.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
