I'm trying to create a simple control chart (where I show a line 3 standard deviations away from the mean). I just need to calculate what the standard deviation is for my entire set of data, multiply by 3 and plot the line along with my data.
Originally I tried to use a pivot because I used DataSets for speed but eventually gave up.
Now I'm trying the search syntax and it appears like the "append" command is what I need.
host=serverName sourcetype=http_access_log | append [search host=serverName sourcetype=http_access_log | stats stdev(ResponseTime) as TotalStdDev] | table _time host ResponseTime TotalStdDev
I'm just trying to generate a simple table to start with that has the TotalStdDev copied for each entry. Maybe then I can start aggregating based on days. But I can't even get the total standard deviation for the entire data set into my table.
Any suggestions out there?
Thanks,
Give this a try
host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev
Give this a try
host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev
Nice! Thanks MuS and somesoni2!
I went with the eventstats option. It works beautifully.
Hi theironcook,
take a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... it provides some examples how it can be done. The answer is not limited to two source ... it can be applied to endless events.
Hope this helps ...
cheers, MuS