Splunk Stream: How to find outliers in data taken ...

mkresstreysta · ‎02-22-2018

I am trying to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads. I have written a search which kind of works but I get multiple entries for applications and can't find a way to group them together. The search I have come up with is below. Any help would be appreciated!

index=main host=ts01 source="stream:Splunk_Tcp" NOT dest_ip="192.168.*"
| rename "sum(bytes_out)" AS "bytes_out"
| eventstats avg("bytes_out") as avg stdev("bytes_out") as stdev 
| eval lowerBound=(avg-stdev*2)
| eval upperBound=(avg+stdev*2)
| eval isOutlier=if('bytes_out' > 'upperBound', 1, 0) 
| table "app" "isOutlier" "bytes_out" "stdev" "avg"

skoelpin · ‎02-22-2018

Try something like this

| eventstats avg(count) AS pred by _time
| eval upper=if(count>pred,count,pred) 
| eval lower=if(count<pred,count,pred) 
| eval lower=if(lower=0,"",lower) 
| eventstats avg(count) AS pred, stdev(count) as pred_stdev, by _time
| eval upper=if(upper>pred+1*pred_stdev,pred_stdev*0.5+pred,upper) 
| eval lower=if(lower <pred-1*pred_stdev,pred_stdev*0.5+pred, lower) 
| stats avg(count) AS pred, stdev(upper) AS ustdev, stdev(lower) AS lstdev stdev(count) as stdev by time 
| eval low=pred-lstdev*(sqrt(1/(1-90/100))) 
| eval low=if(low<0, 1, low) 
| eval high=pred+ustdev*(sqrt(1/(1-90/100)))

Splunk Stream: How to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!