0

I have been trying to set up an alert to see the spike in traffic in terms of standard deviation. I am setting the upper bound as below:

upperBound=(avg+stdev*exact(4)).

However, I am not able to understand what does avg+stdevexact(4) mean in terms of spike and deviation. What will be spike the in traffic be if I write as (avg+stdevexact(4))?

Hence, how are these below different? and what should I choose?

avg+stdev*exact(5))

avg+stdev*exact(4))

avg+stdev*exact(3))

avg+stdev*exact(2))
Andrew Drake
  • 655
  • 1
  • 11
  • 25
Vicky
  • 35
  • 2
  • 7
  • 1
    You are defining the upper bound (or threshold) of the spike as 4 times the standard deviation compared to what I assume is the current rolling average. What you set the multiplier for the standard deviation to be just depends on your use case, I don't think anyone here can reliably answer that – Andrew Drake Aug 16 '19 at 14:08
  • 1
    That being said, Splunk has built in anomaly detection searches you may want to use instead of hardcoded multipliers – Andrew Drake Aug 16 '19 at 14:10
  • 1
    The `exact` function uses greater precision when doing calculations. It adds no value to whole numbers. `avg + stdev*exact(4)` is the same as `avg + stdev*4`. – RichG Aug 16 '19 at 14:32

0 Answers0