I've been stuck on this for quite some time and I'm hoping someone here can help me. I'm re-purposing a stdev query from one of Splunk's Security Essentials use cases. The purpose of this query is to find accounts / outliers who fall outside what was determined to be their standard deviation. The query works good when outputting the results in a table format. I'll include below the syntax that i'm using.
I would now like to alter this query in a way that will allow me to graph the account in question on a line chart with the their calculated average and also their calculated standard deviation. The graph would stretch for 30 days to see their overall daily pattern. I've attempted to use append, appendcol, and join without much success.
Does anyone have a way to use the synatx below and visualize the data into a line-chart? Please let me know if you have any questions.
index=wineventlog EventCode=5140
| convert mktime(_time) timeformat="%Y-%m-%dT%H:%M:%S.%3Q%z"
| bucket _time span=1d
| stats count by _time Security_ID
| eventstats max(_time) as maxtime
| stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'count',null))) as "count" avg(eval(if(_time upperBound) AND num_data_samples >=7, 1, 0)
| table Security_ID, num_data_samples, "count", avg, lowerBound, upperBound, isOutlier
| where isOutlier=1
... View more