-
-
Save erik4github/16f1a5a897a306b76831e9efa92a18f4 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | bin span=1d _time | |
| | stats sum(count) AS daily_total by _time | |
| | where _time < relative_time(now(), "d") // Exclude today for calculating historical metrics | |
| | eventstats avg(daily_total) AS avg_total stdev(daily_total) AS stdev_total | |
| | eval upper_bound = avg_total + (2 * stdev_total) | |
| | eval lower_bound = avg_total - (2 * stdev_total) | |
| | append [ | |
| search <your_base_search> earliest=-1d@d latest=@d | |
| | bin span=1d _time | |
| | stats sum(count) AS daily_total by _time | |
| ] | |
| | eval is_anomaly = if(daily_total > upper_bound OR daily_total < lower_bound, "Yes", "No") | |
| | search is_anomaly="Yes" | |
| | table _time daily_total avg_total stdev_total upper_bound lower_bound is_anomaly |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | bin span=1d _time | |
| | stats sum(count) AS daily_total by _time | |
| | eventstats avg(daily_total) AS avg_total stdev(daily_total) AS stdev_total | |
| | eval upper_bound = avg_total + (2 * stdev_total) | |
| | eval lower_bound = avg_total - (2 * stdev_total) | |
| | eval is_anomaly = if(daily_total > upper_bound OR daily_total < lower_bound, "Yes", "No") | |
| | table _time daily_total avg_total stdev_total upper_bound lower_bound is_anomaly |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment