How to display an event count deviation?

matthew_foos · ‎03-29-2018

Hello all,

I've been tasked with building a standard deviation alert / dashboard / report by using the total count of events over 7 days. I've tried the following search with no success:

| metadata type=hosts index=* which gives me a totalCount of events for my hosts.

I'm trying to figure out how to display any deviation that is +/- 10% and alert on this.

I'm happy to provide further information.

Thanks!

kmaron · ‎04-03-2018

okay try this

base search 
| bucket _time span=1d
| stats count BY _time countedfield
| eventstats stdev(count) as stdev BY countedfield
| eval stdevincrease = (stdev*1.1)
| where count > stdevincrease AND _time > now()-(24*60*60)

Set your earliest to be 7 days and your latest to be now.
Your buckets are 1 day time spans
the eventstats will do the standard deviation over the 7 days then the where clause only looks at the last day
So you can set your alert to trigger on anything greater than 0

kmaron · ‎03-29-2018

a deviation over what time frame? You said 7 days for the total count but are you comparing daily? hourly?

matthew_foos · ‎04-02-2018

I will be comparing daily.

How to display an event count deviation?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio