Created
November 6, 2017 21:47
-
-
Save faststeak/a2a0a74fe22343cc7d7c0a778f1df824 to your computer and use it in GitHub Desktop.
Splunk ML Toolkit - Preliminary search to look for missing or low event sourcetypes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | tstats count where index=* AND source="/data/syslog/raw/*" by _time sourcetype host span=1m | |
| | streamstats avg(count) as events_avg time_window=1m | |
| | eventstats median("events_avg") as median p25("events_avg") as p25 p75("events_avg") as p75 by "host", "sourcetype" | |
| | eval IQR=(p75-p25) | |
| | eval lowerBound=(median-IQR*exact(3)), upperBound=(median+IQR*exact(3)) | |
| | eval isOutlier=if('events_avg' < lowerBound, 1, 0) | |
| | `splitby("host", "sourcetype")` | |
| | fields _time, "events_avg", lowerBound, upperBound, isOutlier, * | |
| | search isOutlier=1 | |
| | stats latest(isOutlier) as isOutlier by _time host sourcetype |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment