Answers for "How do I compare count over two time periods?"
https://answers.splunk.com/answers/508941/how-do-i-compare-count-over-two-time-periods.html
The latest answers for the question "How do I compare count over two time periods?"Answer by DalJeanis
https://answers.splunk.com/answering/508375/view.html
The exact code depends entirely on what you mean by -1 std dev of change in 15 minutes. Here are a couple of examples.
This will look across the last 2 hours and find any minute where the average count for the prior 15 minutes is 1 s.d. below the average across the prior 2 hours.
earliest=-2h index=* app=clamav
| bin _time span=1m
| stats count as mycount by _time
| streamstats avg(mycount) as avgcount15, stdev(mycount) as stdevcount15 time_window=15m
| streamstats avg(mycount) as avgcount120, stdev(mycount) as stdevcount120 time_window=2h
| where avgcount15 < avgcount120 - stdevcount120
This code will find any 15-minute period (2:00-2:15, 2:15-2:30, etc) where the average for the period is 1 s.d. below the average across the prior 2 hours.
earliest=-2h index=* app=clamav
| bin _time span=1m
| stats count as mycount by _time
| eventstats avg(mycount) as avgcount120, stdev(mycount) as stdevcount120
| bin _time span=15m
| stats avg(mycount) as mycount15, first(avgcount120) as avgcount120, first(stdevcount120) as stdevcount120 by _time
| where avgcount15 < avgcount120 - stdevcount120Wed, 08 Mar 2017 22:35:48 GMTDalJeanis