Mean for Failed Logons to Windows
Comment by lguinn2 on lguinn2's answer
I don't understand how you are using the term "mean" - in English, the statistic called "mean" is also called "average." The mean is calculated for a series of numbers by first summing the numbers and then dividing the total by the count of the numbers.
The mean is not a "standard deviation" - for a standard deviation, use the `stdev` function instead.
Finally, this will work for your count by user
`yoursearchhere
| stats count by user`
The `mean` doesn't make sense here, as you have only one value per user
Thu, 07 Nov 2013 17:40:55 GMT
lguinn2
Looks like I figured it out on my own.....
stats mean(count) as Standard_Deveation_Of_Successful_Logons by user
Thu, 07 Nov 2013 13:59:00 GMT
hagjos43
Thank you! This is what I wanted. Can you add to this though, if I wanted to count the mean of the number of events and show it for each user how would I add that in this query?
Thu, 07 Nov 2013 13:54:20 GMT
hagjos43
Try this:
index=xyz ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") (Logon_Type=*)
| stats count by user
| stats mean(count) as MeanCountOfUserEvents
The `mean` function calculates the average of the field that you name. So `mean(EventCode)` will return the mean of the numeric event codes - and Splunk can't even calculate `mean(user)` because none of the values for `user` are numeric. My example counts the number of events for each user, and then takes the mean of that count.
Wed, 06 Nov 2013 19:09:54 GMT
lguinn2
I don't follow completely what you're trying to achieve - grab a count of failed logons? If so, just do `stats count` at the end of the search, instead of `stats mean(...)`. If I misunderstood your intentions, please describe them in more detail.
Wed, 06 Nov 2013 19:09:49 GMT
Ayn