I am trying to find outliers in data taken from stream located on a terminal server, to detect large outbound file uploads. I have written a search which kind of works but I get multiple entries for applications and can't find a way to group them together. The search I have come up with is below. Any help would be appreciated!
index=main host=ts01 source="stream:Splunk_Tcp" NOT dest_ip="192.168.*"
| rename "sum(bytes_out)" AS "bytes_out"
| eventstats avg("bytes_out") as avg stdev("bytes_out") as stdev
| eval lowerBound=(avg-stdev*2)
| eval upperBound=(avg+stdev*2)
| eval isOutlier=if('bytes_out' > 'upperBound', 1, 0)
| table "app" "isOutlier" "bytes_out" "stdev" "avg"
Try something like this
| eventstats avg(count) AS pred by _time
| eval upper=if(count>pred,count,pred)
| eval lower=if(count<pred,count,pred)
| eval lower=if(lower=0,"",lower)
| eventstats avg(count) AS pred, stdev(count) as pred_stdev, by _time
| eval upper=if(upper>pred+1*pred_stdev,pred_stdev*0.5+pred,upper)
| eval lower=if(lower <pred-1*pred_stdev,pred_stdev*0.5+pred, lower)
| stats avg(count) AS pred, stdev(upper) AS ustdev, stdev(lower) AS lstdev stdev(count) as stdev by time
| eval low=pred-lstdev*(sqrt(1/(1-90/100)))
| eval low=if(low<0, 1, low)
| eval high=pred+ustdev*(sqrt(1/(1-90/100)))