Comments and answers for "Mean for Failed Logons to Windows"
https://answers.splunk.com/answers/109719/mean-for-failed-logons-to-windows.html
The latest comments and answers for the question "Mean for Failed Logons to Windows"Comment by lguinn2 on lguinn2's answer
https://answers.splunk.com/comments/109884/view.html
I don't understand how you are using the term "mean" - in English, the statistic called "mean" is also called "average." The mean is calculated for a series of numbers by first summing the numbers and then dividing the total by the count of the numbers.
The mean is not a "standard deviation" - for a standard deviation, use the `stdev` function instead.
Finally, this will work for your count by user
`yoursearchhere
| stats count by user`
The `mean` doesn't make sense here, as you have only one value per userThu, 07 Nov 2013 17:40:55 GMTlguinn2Comment by hagjos43 on hagjos43's answer
https://answers.splunk.com/comments/109838/view.html
Looks like I figured it out on my own.....
stats mean(count) as Standard_Deveation_Of_Successful_Logons by userThu, 07 Nov 2013 13:59:00 GMThagjos43Comment by hagjos43 on hagjos43's answer
https://answers.splunk.com/comments/109836/view.html
Thank you! This is what I wanted. Can you add to this though, if I wanted to count the mean of the number of events and show it for each user how would I add that in this query?Thu, 07 Nov 2013 13:54:20 GMThagjos43Answer by lguinn2
https://answers.splunk.com/answering/109723/view.html
Try this:
index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*)
| stats count by user
| stats mean(count) as MeanCountOfUserEvents
The `mean` function calculates the average of the field that you name. So `mean(EventCode)` will return the mean of the numeric event codes - and Splunk can't even calculate `mean(user)` because none of the values for `user` are numeric. My example counts the number of events for each user, and then takes the mean of that count.Wed, 06 Nov 2013 19:09:54 GMTlguinn2Answer by Ayn
https://answers.splunk.com/answering/109722/view.html
I don't follow completely what you're trying to achieve - grab a count of failed logons? If so, just do `stats count` at the end of the search, instead of `stats mean(...)`. If I misunderstood your intentions, please describe them in more detail.Wed, 06 Nov 2013 19:09:49 GMTAyn